How do you spot a phishing scam when the URL looks perfectly legit?
An old phishing technique has recently popped back up in the news, and it has the potential to fool some folks no matter how many times they inspect a URL for typos.
Phishing works like this: Some fool sends people an email that asks readers to please click on this link or download this thing. The person sends the link from a URL with a (theoretically) clever typo (think yhaoo.com instead of yahoo.com). But this other kind of phishing scheme — called a homograph attack — sends an email from a URL that looks nearly identical to the real thing, replacing some the letters with similar ones from other alphabets.
Look at this example of the real apple.com and an imposter created by web developer Xudong Zheng, who brought renewed attention to homograph attacks by writing about them on April 14.
A homograph attack replaces all the letters in a URL with similar or identical letters from non-English alphabets such as Cyrillic.
Here’s how it works: Zheng’s fake “apple.com” is actually a translation. Its true URL looks like this: “xn—80ak6aa92e.com.”
That keyboard vomit means nothing to me, but this arrangement of letters and dashes and numbers corresponds to Cyrillic letters. It’s written in unicode, a coding standard that pulls from a wide range of letters and numbers and whatever else. But, with the help of a separate tool called punycode, that illegible URL is translated into something called American Standard Code for Information Interchange, which renders URLs in English. Thus, that unreadable mess becomes a fake apple.com.
This is an issue for anyone using Firefox, Chrome and several less popular browsers, though not for folks using Safari or Internet Explorer. But while the regular URLs are seemingly impossible to distinguish from the bad ones, the fix is still relatively simple (if kind of annoying).
If you get an email you’re not sure about, and it asks you to click on a link, don’t. Instead, Zheng suggests, type it out into a browser or a search engine. This will take you to the legitimate link, if there is such a thing. A few seconds of extra key-tapping could save you a whole lot of malware issues.
Another bit of good news: Zheng says homograph attacks aren’t all that common because once a Cyrillic-based URL is blacklisted, it’s pretty much useless. Homograph attacks only work if each letter of the real URL is replaced with a letter from a different alphabet. If a Cyrillic-based site gets blacklisted, the phisher can’t just come back with a different fake arrangement of letters and try again.
In less good news, Zheng says homograph attacks often aren’t necessary. Phishers trick plenty of people with schemes that aren’t so complex.