Is it Paypal? Or is it Paypal?
Can you rely on the website address to tell if you’re on a phishing site? Not anymore, according to some websites.
It seems that the International Corporation for Assigned Names and Numbers (ICANN) has recently allowed non-latin domain names to be registered. This is in an effort to encourage internet content build-up from other countries.
Reacting to this news, some creative authors have found a way to display common website addresses using a combination of Cyrillic and English letters. For example the Russian Cyrillic characters “raural” look exactly like “paypal”. Check out the Paypal example here. This IDN homograph phishing attack is nothing new, just a lot easier according to some authors.
Some potential issues have been addressed: depending what type of browser you use, you’ll likely get a warning; IDN implementations won’t allow mixed-script URLs so a nefarious registrant can’t mash up a domain name using multiple scripts. But one can’t help wondering what happens on older browsers, or mobile browsers?
No matter what the case, it’s just become a bit more unreliable to depend on the domain name displayed in the browser address bar. It’s too bad because that’s usually the best way to train non-technical users to be sure they’re on the right website. Of course another way to rely on a website is through the SSL information. But try explaining to your great aunt that she needs to click on the little lock icon at the bottom right of her browser. And with the proliferation of certificates that only validate domain names (DV certificates), many SSL sessions just don’t offer the reliability.
Browser manufacturers and Certificate Authorities have taken the first step towards making it easier by introducing Extended Validation (EV) certificates. The standardized EV Guidelines specifically mention that:
The CA MUST visually compare any Domain Names with mixed character sets with known high risk domains. If a similarity is found, then the EV Certificate Request MUST be flagged as High Risk. The CA must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organization.
In other words, this problem wouldn’t happen if sites were protected by EV certificates. EV guidelines also dictate that certificate providers validate the company name that owns the website as well as the true website name, and this information is displayed in the “chrome” of the browser, such as in the menu bar. Most browsers provide visual cues for EV certificates. Usually the address or address bar turns green. But is it enough? Would your great aunt know to look for green visual cues and the name of the company? Perhaps. Perhaps not. Perhaps the next step is for browsers to provide more dramatic visual cues. Like “You are about to send information securely to <Insert verified company name here>”. Let’s hope the browser vendors can stay ahead of the criminals on this one.