Jump to content


Photo

Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites


  • You cannot start a new topic
  • Please log in to reply
3 replies to this topic

#1 manunkind

manunkind

    Valued Member

  • Gold Star Member
  • Pip
  • 899 posts

Posted 16 April 2017 - 12:05 AM

There is a phishing attack that is receiving much attention today in the security community.

 

As a reminder: A phishing attack is when an attacker sends you an email that contains a link to a malicious website. You click on the link because it appears to be trusted. Merely visiting the website may infect your computer or you may be tricked into signing into the malicious site with credentials from a site you trust. The attacker then has access to your username, password and any other sensitive information they can trick you into providing.

This variant of a phishing attack uses unicode to register domains that look identical to real domains. These fake domains can be used in phishing attacks to fool users into signing into a fake website, thereby handing over their login credentials to an attacker.

 

This affects the current version of Chrome browser, which is version 57.0.2987 and the current version of Firefox, which is version 52.0.2. This does not affect Internet Explorer or Safari browsers.

 

We created our own example to demonstrate how an attacker can register their own domain that looks identical to another company’s domain in the browser. We decided to imitate a healthcare site called ‘epic.com’ by registering our own fake site. You can visit our demo site here in Chrome or Firefox. For comparison you can click here to visit the real epic.com.

 

Source:
https://www.wordfenc...icode-phishing/



#2 manunkind

manunkind

    Valued Member

  • Gold Star Member
  • Pip
  • 899 posts

Posted 16 April 2017 - 01:23 AM

A couple quick notes:

  • Check the certificate if in doubt.  The certificates won't lie.
  • Password managers will know the difference and fail to auto-fill.  Only humans will be fooled.

PC Sympathy

s++=ENDIKSA;++y(;-p)}d ms++n;suajsmn+ky(n-qi}?print:??;

#3 ranchhand

ranchhand

    Moderator

  • Moderators
  • 1,395 posts
  • LocationMidwest

Posted 16 April 2017 - 01:05 PM

Thanks for the headsup.

Further down the site page, they explain how to fix this hole in Firefox, as follows:

 

 

How to fix this in Firefox:

In your firefox location bar, type ‘about:config’ without quotes.

Do a search for ‘punycode’ without quotes.

You should see a parameter titled: network.IDN_show_punycode

Change the value from false to true.

Now if you try to visit our demonstration site you should see:

wordfence-real-demo-url.png

 

The article goes on to say that there currently is no fix in Chrome. I am sure that Google is already working on an update.

 

I made the changes to Firefox and it works; the sample bogus website now shows the fake URL address. I am sure FF will have an update for this soon.


Fishing Fanatic - gimme a fishing rod, point me North and turn me loose.


#4 manunkind

manunkind

    Valued Member

  • Gold Star Member
  • Pip
  • 899 posts

Posted 16 April 2017 - 02:33 PM

Chrome already has it in their Dev/Beta builds for testing.  It should make the next public release.


PC Sympathy

s++=ENDIKSA;++y(;-p)}d ms++n;suajsmn+ky(n-qi}?print:??;