MozillaZine

Punycode phishing attack will have you fooled

User Help for Mozilla Firefox
Reflective

User avatar
 
Posts: 1863
Joined: February 15th, 2007, 11:13 am

Post Posted April 18th, 2017, 3:24 am

I just read an article on ghacks.net concerning punycode which can be used to obfuscate a URL in order to make it appear like the real one even when it's a secure site. Here's the link to the article.

In the second paragraph there's a link to what looks like apple.com complete with https:// and digital certificate. If you hover the mouse over it you'll also see it written the same way bottom left of Firefox, but click the link and you'll end up somewhere completely different.

To prevent a phishing attack that uses punycode set network.IDN_show_punycode to true in about:config. It will also reveal the real URL the link will take you to bottom left of FF afterwards.

Happy112

User avatar
 
Posts: 201
Joined: April 15th, 2017, 10:25 am
Location: Never-Never-Land

Post Posted April 18th, 2017, 3:37 am

Hi Reflective,
Good for you to spot this !
Here's a link to a thread on the Mozilla's support forum about this subject :
https://support.mozilla.org/t5/Firefox/firefox-phishing-warning/td-p/1391072

LIMPET235
Moderator

User avatar
 
Posts: 37233
Joined: October 19th, 2007, 1:53 am
Location: The South Coast of N.S.W. Oz.

Post Posted April 18th, 2017, 3:47 am

Hi,
It does not affect v20 for some reason. It cannot find the server or load the page.
A mouse-over the 2 posted apple.com link/s reveals the phony site
thusly > "http://xn--pple-43d.com" or > "https://www.xn--80ak6aa92e.com/"
Image

Plus...
There's another/earlier thread on the subject.
> viewtopic.php?f=38&t=3029518
Ancient Amateur Astronomer
Win-7-HP/Intel® DualCore-2.0GHz/500G HDD/4 Gig Ram/550Watt PSU/350WattUPS/Firefox-20.0-50.0/T-bird-2.0.0.24/SnagIt-v10.0.1/MWP-7.11.0.
RadioYachting. Conficker Test. (Always choose the "Custom" Install.)

Reflective

User avatar
 
Posts: 1863
Joined: February 15th, 2007, 11:13 am

Post Posted April 18th, 2017, 6:50 am

LIMPET235 wrote:Hi,
It does not affect v20 for some reason. It cannot find the server or load the page.
A mouse-over the 2 posted apple.com link/s reveals the phony site
thusly > "http://xn--pple-43d.com" or > "https://www.xn--80ak6aa92e.com/"
Image

Plus...
There's another/earlier thread on the subject.
> viewtopic.php?f=38&t=3029518

Sorry, didn't see the other one. Maybe you can merge this thread with that.

LIMPET235
Moderator

User avatar
 
Posts: 37233
Joined: October 19th, 2007, 1:53 am
Location: The South Coast of N.S.W. Oz.

Post Posted April 18th, 2017, 7:28 am

I checked the time lines & was not sure if the resultant merged posts would be too confusing, so left it/them as is.
Ancient Amateur Astronomer
Win-7-HP/Intel® DualCore-2.0GHz/500G HDD/4 Gig Ram/550Watt PSU/350WattUPS/Firefox-20.0-50.0/T-bird-2.0.0.24/SnagIt-v10.0.1/MWP-7.11.0.
RadioYachting. Conficker Test. (Always choose the "Custom" Install.)

dickvl

User avatar
 
Posts: 52043
Joined: July 18th, 2005, 3:25 am

Post Posted April 18th, 2017, 8:04 pm

Note that is these cases Cyrillic characters that look similar to the Latin characters are use.
аррӏе = аррӏе
https://en.wikibooks.org/wiki/Unicode/C ... /0000-0FFF

LIMPET235
Moderator

User avatar
 
Posts: 37233
Joined: October 19th, 2007, 1:53 am
Location: The South Coast of N.S.W. Oz.

Post Posted April 19th, 2017, 3:48 am

Please use the other thread...
> viewtopic.php?f=38&t=3029518

Locking as duplicate.
Ancient Amateur Astronomer
Win-7-HP/Intel® DualCore-2.0GHz/500G HDD/4 Gig Ram/550Watt PSU/350WattUPS/Firefox-20.0-50.0/T-bird-2.0.0.24/SnagIt-v10.0.1/MWP-7.11.0.
RadioYachting. Conficker Test. (Always choose the "Custom" Install.)

Return to Firefox Support


Who is online

Users browsing this forum: Happy112 and 9 guests