Unicode Domain Spoofing Attack

A security researcher named Xudong Zheng discovered that the Google Chrome, Mozilla Firefox, and Opera web browsers are vulnerable to a Unicode domain spoofing tactic, a variation of a “homograph attack." Malicious actors can create legitimate domains in non-English languages using characters that are close or identical to English words and direct users to malicious websites. For example, if a hacker uses Punycode, which relies on ASCII characters to convey foreign characters, they can create a domain that, when translated to Unicode, appears to spell an English word such as “apple.” The hacker registers a Punycode domain xn-pple-43d.com, the equivalent of apple.com with a Cyrillic “a” at the beginning. When Punycode is translated to Unicode by the browser, the web address would appear to the visitor as “apple.com.” This tactic allows a malicious actor to convince a user to visit a site they believe is legitimate and safe. A hacker could create a site meant to deliver malware to the victim or one that mirrors the appearance of a legitimate website's login page, used to compromise the user's credentials. Google has fixed this issue in its latest release of Chrome, version 58.0.3029.81. Mozilla and Opera have not yet released a patch; however, Firefox users can limit their risk by disabling Punycode support (instructions to do so are included in Zheng's post). The NJCCIC recommends all users and administrators apply the security update to Google Chrome, implement the Mozilla Firefox mitigation, and update Opera when a patch becomes available.