A security researcher has brought new attention to an old way for scammers to lure unsuspecting internet users onto bogus sites. The secret lies in the use of the Unicode computer text handling system.
While Unicode offers the benefit of standardising text across most of the world’s writing systems, it also has the potential to allow malicious actors to create fake URLs by using characters in other alphabets that look similar to Latin ones. The problem stems from the fact that the global network’s addressing system was built entirely on English – and the Latin script that goes with it. Through some rather hasty work-arounds engineers created codes which were used in place of letters, to allow for a wider variety of symbols in addresses – Unicode was born.
The reaction from the leading web browsers to the researcher’s proof-of-concept domain has been varied. Apple’s Safari and Microsoft’s Edge both succeeded in detecting the spoof domain, whereas Google’s Chrome and Mozilla’s Firefox failed to pick up on the phoney URL. The Chrome team is taking steps to fix it, but Mozilla has dismissed it as an Apple problem.
To insure against this problem, also known as ‘homograph attacks’, it has been suggested to use a password manager and keep on the lookout for potential phishing attacks before clicking on any links. If in doubt, the recommendation is to type in URLs manually or navigate to the site via a search engine.