Look-alike website addresses a growing threat

Look-alike website addresses a growing threat

Matt Blowes March 28, 2018 Security

Security experts are trying to draw attention to a rarely discussed issue where two completely separate websites can appear to have the same website address.

The issue involves exploiting the process for registering a website in multiple languages using internationalised domain names (IDN). 

It is an issue that can be exploited by cyber criminals and all users should be aware. 

How it works
  1. You click on a link. Let's say you've found a link to sentrían.com. It looks legitimate, if you're just glancing at it.
  2. The website loads and it appears like the website you expect. You open a few further pages, maybe enter in some personal details, ask to be contacted later or sign-up to a newsletter.
  3. You exit the website without thinking twice. 

For eagle-eyed readers, you'll notice the in the link above is actually an í. You've unintentionally accessed a copycat website. It mimics a legitimate website but is actually unrelated.

Cyber criminals are exploiting this somewhat unknown website address vulnerability. It allows criminals to register addresses in non-Latin-based languages, where the characters visually appear the same as Latin-based characters. 

Introducing Punycode

Websites addresses can be registered using various languages, or more specifically, alphabets. Across the various alphabets there are many characters that look exactly the same or highly similar. For instance, the Cyrillic "а" appears identical to the English "a". (Try copying each of these characters and pasting them into Google, it will demonstrate how they are different.)

Your computer differentiates these characters behind the scenes using something called Unicode. Unicode allows these similar characters to appear but convey different definitions. Unicode does this by assigning assigns each character a specific code, so your computer can read that each one is unique, while still displaying the character correctly. In this case the Cyrillic "а" has this code: U+0430. While the English "a" has this code: U+0041. 

Unicode is highly versatile, it contains over 130,000 characters. 

However websites are registered using a system called ASCII, which has fewer than 128 characters. To allow for non-Latin languages to be registered, the Unicode characters are given a Punycode equivalent, which translates them into a series of ASCII characters. 

For instance, sentrían.com is actually http://xn--sentran-cza.com in Punycode.

sentrian.com.au stays the same because all of its characters exist in ASCII.

Name of attack

This type of attack is known by a number of names, including Punycode phishing, website look-alike attacks, visual confusion attacks, and ASCII spoofing. 

Who is most vulnerable?

Users on older computers, users running old versions of web browsers and Firefox users. Firefox users should pay particular attention. 

Google Chrome and Microsoft Edge users with the latest software updates should be protected from this type of attack. Both browsers display website addresses in Punycode by default. 

However Firefox controversially does not display Punycode addresses by design. A Firefox statement explains:

"Visual confusion attacks are not new and are difficult to address while still ensuring that we render everyone’s domain name correctly. We have solved almost all IDN spoofing problems by implementing script mixing restrictions, and we also make use of Safe Browsing technology to protect against phishing attacks."

Firefox users can find instructions on how to force website addresses to display in Punycode here

What we you do to avoid this type of attack?
  • Manually type in website addresses or access them from bookmarks you know are secure. 
  • Hover your mouse over any links to see the preview address before clicking a link. If a website address uses non-ASCII characters, the address should appear as Punycode in the preview. 
  • Only clicking on links from sources you trust.

Punycode phishing is an annoying and clever attack. However, if you remain vigilant when clicking on links and attachments, you should be able to avoid vulnerabilities. If you are a Firefox user, we highly encourage you to force Punycode addresses to display. Otherwise you risk being unable to separate website addresses. 

Further information

If you'd like further technical information, please see this explanation by IT security reporter Brian Krebs. Or see this alternative explanation here from The Guardian.

This article was written with assistance from our Systems Engineer Alex Uhde

Subscribe to the Sentrian Newsletter for the latest security news and expert advice.