BEACON TRANSCRIPT – Hackers resort to a lot of inventive methods to make unaware users click on malicious links. One recent phishing attempt surprised us, as it made use of a useful but quite unknown feature of browsers. What is bad is the fact that such a technique might lure even the most careful users.
As we know, not all languages use the Latin alphabet, but you might have not seen a link containing Cyrillic or kanji characters. This happens in spite of the fact that Unicode, the standard text which is displayed everywhere in the world, actually supports a wider variety of languages.
Punycode transcribes links from non-Latin letters
It is not typical indeed for these characters to appear in URIs, so only ASCII are allowed. This, there appeared a system which converts such symbols into ASCII, and this is called “punycode”. A browser is able to identify an URI written in punycode, as it is always preceded by “xn--“.
This conversion occurs without the user being aware of it. If characters different from Latin letters are present in a hyperlink, the system converts them immediately into punycode, and it takes a readable form for the URI. To make it clearer, a link which looks like “JP納豆.例.jp” would transform into “xn--jp-cd2fp15c.xn--fsq.jp”.
A sneaky trick preferred by hackers
Hackers often resort to such methods precisely because punycode does not tell the user beforehand that it is going to change the link. By using this, the attackers can make any link look normal to a regular user and, in fact, it would be a completely different thing.
For instance, they can use Cyrillic letters to disguise a malicious link and make it look like it writes apple.com. These letters can be created by the punycode xn--80ak6aa92e. If you change some settings in your browser, you will be able to see previews of such links in punycode, or even transcribe them in different fonts which show that they are different.
Thus, this might trick even the most experienced users who know how to be careful with malicious links. Google Chrome and Mozilla Firefox are the only browsers which are affected by such phishing attacks. You can change the settings and select the option which allows you to see the true URI code.
Image Source: Flickr