Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scammers Abuse Multilingual Domain Names (bbc.com)

Posted by msmash on from the beware dept.

Cyber-criminals are abusing multilingual character sets to trick people into visiting phishing websites. BBC: The non-English characters allow scammers to create "lookalike" sites with domain names almost indistinguishable from legitimate ones. Farsight Security found scam sites posing as banks, loan advisers and children's brands Lego and Haribo. Smartphone users are at greater risk as small screens make lookalikes even harder to spot. The Farsight Security report looked at more than 100 million domain names that use non-English character sets -- introduced to make the net more familiar and usable for non-English speaking nations -- and found about 27% of them had been created by scammers. It also uncovered more than 8,000 separate characters that could be abused to confuse people.

Farsight founder Paul Vixie, who wrote much of the software underpinning the net's domain names told the BBC: "Any lower case letter can be represented by as many as 40 different variations."

3 of 129 comments (clear)

  1. why is there not a setting. by Anonymous Coward · · Score: 2, Interesting

    Browsers should have you choose a language and not allow sites in other languages (in the url) by default. You go in somewhere and say allow everything or populate a list of acceptable languages. It should at least give a popup.

  2. Re:Unicode is a mess by ShanghaiBill · · Score: 4, Interesting

    Saw this coming years ago.

    Indeed. The security ramifications were immediately pointed out by many people as soon as this idiotic proposal was made. But it went forward anyway so they could sell new domain names, and force legitimate companies to spend even more to buy up every possible permutation of their names.

    The only good solution now is for browsers to block these domains, or at least throw up a flashing SCAM warning whenever one is accessed.

  3. Re:Unicode is a mess by Anonymous Coward · · Score: 4, Interesting

    Somehow I get the feeling that unicode isn't the real problem.

    It seems oddly specific to allow companies to register their name as a domain but only if their name consists of a very limited number of characters.
    Even if we get rid of unicode we still have the problem with sans-serif fonts.
    slashdot.org and sIashdot.org can be hard to tell apart.
    If your response is that you can choose to use a serif font then you can also choose to use a font that shows unicode as boxes or use a browser that warns you when going to a domain that has odd letter in the name.

    One way to reduce the problem could have been to not have *.com or *.org addresses at all. Let everyone register their domains under whatever country they belong to. That way you can choose to not trust *.su addresses.

    The underlying problem seems to be that we put our trust in a name.
    Even without intentional name collisions for the purpose of scamming we still get unintentional name collisions with organizations that have the same name but in completely different fields. (Or similar fields but different regions.)