WordPress security experts at Wordfence have issued a public security alert for everyone online who uses Chrome and Firefox.
The phishing scam involves attackers registering domain names using Unicode characters which look like English alphabet characters to spoof a real domain name.
The result is that visually you will not see any difference in the address bar of the browser allowing you to think that you are on a legitimate website.
A phishing scam is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, usually by embedding a web link in and email disguised as coming from a trustworthy source such as a bank, company or a friend.
This affects the current version of Chrome browser, which is version 57.0.2987 and the current version of Firefox, which is version 52.0.2. It does not affect Internet Explorer or Safari browsers.
To test this vulnerability the security team at Wordfence registered a bogus epic.com domain and even issued it with an SSL certificate, demonstrating the severity of the attack.
Here is the fake demo site that they registered. For comparison here is a link to the real epic.com website.
Visit both links above in Chrome and Firefox and have a look at the browser address bar.
The real epic.com website looks like this in Chrome:
The fake website looks like this in Chrome:
The real epic.com website looks like this in Firefox:
The fake epic.com looks like this in Firefox:
As you can see from above this is a serious phishing attack.
Read the Wordfence blog post for more details on how unicodes were used to fake this domain name.
Currently there is no way to detect the fake domain name in Chrome 57.0.2987 however the issue has been patched in Chrome Canary, the development version of the browser, so a fix should be rolled out in a few days time to regular Chrome users.
If you use Firefox you can turn on the punycode configuration setting, by typing in about:config in the browser address bar, searching for ‘punycode’ and setting the configuration option network.IDN_show_punycode to true.
Once that is done if you visit the fake site in Firefox you will see the following in the address bar:
Please note that if you are a Windows user copying the fake link from a web page or web based email client such as Gmail and pasting it into notepad does not show the Unicode.
Copying the Unicode URL from the browser address bar and pasting it back into Chrome or notepad does show the Unicode, but by that time the damage could already be done.
Please share and be safe on the web. Browser address bar images in this post are courtesy of the original Wordfence blog article.
