Another week, another web security story where organisations need to consider how to defend against another phishing attack.
This week we saw the Punycode story break. For those that missed it, a Chinese infosec researcher has reported about an "almost impossible to detect" phishing attack that can be used to trick even the most careful users on the Internet. Hackers are able to use a known vulnerability in Chrome, Firefox and Opera web browsers to display fake domain names as the websites of legitimate brands, like Apple, Google, or Amazon to steal login or financial credentials and other sensitive information from customers.
The reality of the browser vulnerability and the extent that it could be abused has multiple angles to consider:Website Brands Targeted
Any web brand is currently able to be impersonated using this browser vulnerability. The brand owners can and may consider registering Unicode domains that refer to their brand to protect their customers. However, the reality is succinctly addressed by Google themselves with the quote below on the Bugzilla site thread.
It is the responsibility of domain owners to check for this :(
Not all browsers are vulnerable to this attack. To start with, Microsoft Edge and Safari are not vulnerable to this attack. However, the most popular browsers used today - Chrome, Firefox and Opera - are all vulnerable. Our cloud platform for our customers ‘today’ indicates that in our enterprise customers, the overwhelming number of users are all using browsers that are vulnerable to this Punycode attack.
The good news is that using isolation technology does mitigate this threat for users visiting a site using a browser that is still vulnerable.
From a risk score perspective, the international characters used to fool the user would trigger multiple risk elements, and it obviously would not be confused with the real apple.com domain. The website will be seen as either an uncategorized and/or uncommon domain. For the example domain in the article, it is flagged up as a High risk score.
Another protection provided by isolation is that in the prepend/anti-phish mode we have built, the Punycode domains do not get converted back to the native characters, so it won't look misleading in the address bar.
In isolation, that fake apple domain would look like:
Going forward, we will add these techniques into our phishing analysis -- for example, decode the Punycode and detect its similarity to phishing targets and communicate that to the user as well.