Phishing Attack Uses Domains Identical to Known Safe Sites

General discussion and chat (archived)
dark_moon

Phishing Attack Uses Domains Identical to Known Safe Sites

Unread post by dark_moon » 2017-04-15, 20:01

https://www.wordfence.com/blog/2017/04/ ... -phishing/

Pale Moon is affected too and the fix
network.IDN_show_punycode
Change the value from false to true

works.

wyMnNHXB

Re: Phishing Attack Uses Domains Identical to Known Safe Sites

Unread post by wyMnNHXB » 2017-04-15, 20:09

Amazing attack. So simple, so efficient. Thank you for the info!

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35476
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Phishing Attack Uses Domains Identical to Known Safe Sites

Unread post by Moonchild » 2017-04-15, 20:20

We already have the most common bases covered with blacklisted characters (e.g. exchanging hyphens with soft hyphens or –); it's not that simple to blacklist all letter-homographs because international domain names WILL be using them legitimately for unicode domain names. This kind of thing has been around for quite a while, actually. It's not new.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1878
Joined: 2015-09-30, 23:02
Location: uk.

Re: Phishing Attack Uses Domains Identical to Known Safe Sites

Unread post by Moonraker » 2017-04-15, 20:24

Thanks darkmoon for the heads up.!
user of multiple puppy linuxes..upup,fossapup.scpup,xenialpup..... :thumbup:

Pale moon 29.4.1

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35476
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Phishing Attack Uses Domains Identical to Known Safe Sites

Unread post by Moonchild » 2017-04-15, 20:39

I do actually have an idea at least for https sites: we display domain-verified domains in the identity panel - showing punycode there would make things unambiguously clear when it's an IDN.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

dark_moon

Re: Phishing Attack Uses Domains Identical to Known Safe Sites

Unread post by dark_moon » 2017-04-15, 20:54

Sounds nice, Moonchild!

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35476
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Phishing Attack Uses Domains Identical to Known Safe Sites

Unread post by Moonchild » 2017-04-15, 22:17

I can actually do it one better ;) display punycode for http as well if it's an IDN, and not display anything if not...
Attachments
idn-https.png
idn-https.png (17.03 KiB) Viewed 1928 times
normal-http.png
normal-http.png (18.19 KiB) Viewed 1928 times
idn-http.png
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

van p
Astronaut
Astronaut
Posts: 592
Joined: 2015-11-19, 07:15
Location: Cincinnati, OH, U.S.A.

Re: Phishing Attack Uses Domains Identical to Known Safe Sites

Unread post by van p » 2017-04-16, 04:56

So what's the bottom line? Should we change the setting or leave it alone? Thanks.
Windows 10 Pro x64 v22H2 8GB i5-4570|Pale Moon v33.0.1 x64

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35476
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Phishing Attack Uses Domains Identical to Known Safe Sites

Unread post by Moonchild » 2017-04-16, 11:27

You can change the setting if you're worried about this, don't want to check the certificate, and want to do something about this right now - downside is that you can't enter internationalized domain names in the address bar.
As said, this kind of spoofing has been around for a long time, it's nothing new.

Otherwise, leave it alone and wait for the next version of Pale Moon.

Of note, any financial institution will always have an EV (green) certificate that will display the certificate owner's name -- that can't be spoofed this way.
Image1.png
Image1.png (8.81 KiB) Viewed 1837 times
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

JustOff

Re: Phishing Attack Uses Domains Identical to Known Safe Sites

Unread post by JustOff » 2017-04-16, 17:45

Moonchild wrote:I can actually do it one better ;) display punycode for http as well if it's an IDN, and not display anything if not...
Simple and efficient! :thumbup:

Locked