Punycode phishing attack will have you fooled

Reflective · Post by **Reflective** » April 18th, 2017, 3:24 am

I just read an article on ghacks.net concerning punycode which can be used to obfuscate a URL in order to make it appear like the real one even when it's a secure site. Here's the link to the article.

In the second paragraph there's a link to what looks like apple.com complete with https:// and digital certificate. If you hover the mouse over it you'll also see it written the same way bottom left of Firefox, but click the link and you'll end up somewhere completely different.

To prevent a phishing attack that uses punycode set network.IDN_show_punycode to true in about:config. It will also reveal the real URL the link will take you to bottom left of FF afterwards.

Happy112 · Post by **Happy112** » April 18th, 2017, 3:37 am

Hi Reflective,
Good for you to spot this !
Here's a link to a thread on the Mozilla's support forum about this subject :
https://support.mozilla.org/t5/Firefox/ ... -p/1391072

Post by **LIMPET235** » April 18th, 2017, 3:47 am

Hi,
It does not affect v20 for some reason. It cannot find the server or load the page.
A mouse-over the 2 posted apple.com link/s reveals the phony site
thusly > "http://xn--pple-43d.com" or > "https://www.xn--80ak6aa92e.com/"

Plus...
There's another/earlier thread on the subject.
> http://forums.mozillazine.org/viewtopic ... &t=3029518

Reflective · Post by **Reflective** » April 18th, 2017, 6:50 am

LIMPET235 wrote:Hi,
It does not affect v20 for some reason. It cannot find the server or load the page.
A mouse-over the 2 posted apple.com link/s reveals the phony site
thusly > "http://xn--pple-43d.com" or > "https://www.xn--80ak6aa92e.com/"

Plus...
There's another/earlier thread on the subject.
> http://forums.mozillazine.org/viewtopic ... &t=3029518

Sorry, didn't see the other one. Maybe you can merge this thread with that.

Post by **LIMPET235** » April 18th, 2017, 7:28 am

I checked the time lines & was not sure if the resultant merged posts would be too confusing, so left it/them as is.

dickvl · Post by **dickvl** » April 18th, 2017, 8:04 pm

Note that is these cases Cyrillic characters that look similar to the Latin characters are use.
аррӏе = аррӏе
https://en.wikibooks.org/wiki/Unicode/C ... /0000-0FFF

Post by **LIMPET235** » April 19th, 2017, 3:48 am

Please use the other thread...
> http://forums.mozillazine.org/viewtopic ... &t=3029518

Locking as duplicate.

Punycode phishing attack will have you fooled

Punycode phishing attack will have you fooled

Re: Punycode phishing attack will have you fooled

Re: Punycode phishing attack will have you fooled

Re: Punycode phishing attack will have you fooled

Re: Punycode phishing attack will have you fooled

Re: Punycode phishing attack will have you fooled

Re: Punycode phishing attack will have you fooled