Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scammers Abuse Multilingual Domain Names (bbc.com)

Posted by msmash on from the beware dept.

Cyber-criminals are abusing multilingual character sets to trick people into visiting phishing websites. BBC: The non-English characters allow scammers to create "lookalike" sites with domain names almost indistinguishable from legitimate ones. Farsight Security found scam sites posing as banks, loan advisers and children's brands Lego and Haribo. Smartphone users are at greater risk as small screens make lookalikes even harder to spot. The Farsight Security report looked at more than 100 million domain names that use non-English character sets -- introduced to make the net more familiar and usable for non-English speaking nations -- and found about 27% of them had been created by scammers. It also uncovered more than 8,000 separate characters that could be abused to confuse people.

Farsight founder Paul Vixie, who wrote much of the software underpinning the net's domain names told the BBC: "Any lower case letter can be represented by as many as 40 different variations."

21 of 129 comments (clear)

  1. Farsight Security by omnichad · · Score: 4, Funny

    small screens make lookalikes even harder to spot....Farsight Security

    Yes, this does sound like a job better suited for Nearsight.

    1. Re:Farsight Security by BronsCon · · Score: 4, Insightful

      Look more closely...

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  2. Unicode is a mess by Anonymous Coward · · Score: 5, Insightful

    Saw this coming years ago. Unicode assignment is a god awful mess, made worst now that nearly every single noun has an emoji version. Pity that we're probably stuck with it until the end of humanity.

    1. Re:Unicode is a mess by ShanghaiBill · · Score: 4, Interesting

      Saw this coming years ago.

      Indeed. The security ramifications were immediately pointed out by many people as soon as this idiotic proposal was made. But it went forward anyway so they could sell new domain names, and force legitimate companies to spend even more to buy up every possible permutation of their names.

      The only good solution now is for browsers to block these domains, or at least throw up a flashing SCAM warning whenever one is accessed.

    2. Re:Unicode is a mess by Anonymous Coward · · Score: 4, Interesting

      Somehow I get the feeling that unicode isn't the real problem.

      It seems oddly specific to allow companies to register their name as a domain but only if their name consists of a very limited number of characters.
      Even if we get rid of unicode we still have the problem with sans-serif fonts.
      slashdot.org and sIashdot.org can be hard to tell apart.
      If your response is that you can choose to use a serif font then you can also choose to use a font that shows unicode as boxes or use a browser that warns you when going to a domain that has odd letter in the name.

      One way to reduce the problem could have been to not have *.com or *.org addresses at all. Let everyone register their domains under whatever country they belong to. That way you can choose to not trust *.su addresses.

      The underlying problem seems to be that we put our trust in a name.
      Even without intentional name collisions for the purpose of scamming we still get unintentional name collisions with organizations that have the same name but in completely different fields. (Or similar fields but different regions.)

    3. Re:Unicode is a mess by Calydor · · Score: 5, Informative

      slashdot.org and sIashdot.org can be hard to tell apart.

      I actually had to copy that into Notepad to see what you did. Well played.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    4. Re:Unicode is a mess by houghi · · Score: 2

      Probably because it was known years ago. Just look at U+0391 U+0410 and U+0041. Or at U+0430 and U+0061 and if you find a word that would use such a letter, you can make serious bÐnk.

      (Luckily it does not work on /.)

      --
      Don't fight for your country, if your country does not fight for you.
  3. Don't be stupid. by Anonymous Coward · · Score: 4, Insightful

    Safe use of the Internet requires digital "street smarts."

    One should not need to be told that it is unsafe to click links in emails, or that virus scanners don't alert you via popups on a web page. Understanding of the basics of how these things work make it obvious, and make safe browsing practices just as obvious.

    The industry has bent over backwards to grant access to swarms of people too stupid to be safe online.

    So, the scammers take them for all they are worth.

    Personally, I consider stupidity to be a vice (and largely a choice), so I don't have much sympathy for people who fall for this sort of thing.

    1. Re:Don't be stupid. by AvitarX · · Score: 2

      What really frustrates me is that my bank uses "secure" messages.

      It requires me to download an HTML file, open it, and then login to a not my bank website.

      Except, my bank has a message system right in their main website (I assume the loans are actually written by a different company). So every customer that applies for a loan is being taught bad email behavior, and using a less secure system (my bank makes efforts to make sure I know it's them (click on the correct image of a few shown to login, if the correct one isn't shown, I know it's not my bank).

      Basically, the "secure" messages are less secure, and run the risk of teaching bad security in general.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  4. Unicode doesn't belong in a URL... by ELCouz · · Score: 3, Insightful

    Seriously...what they where thinking?!?!

    1. Re:Unicode doesn't belong in a URL... by darkain · · Score: 5, Insightful

      They were thinking that not the entire world is English speaking.

  5. why is there not a setting. by Anonymous Coward · · Score: 2, Interesting

    Browsers should have you choose a language and not allow sites in other languages (in the url) by default. You go in somewhere and say allow everything or populate a list of acceptable languages. It should at least give a popup.

  6. It's not unicode - DNS uses punycode by FeelGood314 · · Score: 5, Informative

    DNS entries are ASCII. Punycode is a way to put unicode in ASCII in a way that is sort of mostly human readable. For an English speaker (AKA ASCII character users) always set your browser to display the raw punycode and not the unicode points. For the less technical but still English speaking you should be fine as long as you only visit sites with HTTPS. No reputable CA should be signing EV certs with punycode that looks like English words. Ones that do will quickly be removed from the browsers.

    For the non-English, you're f#@ked. Seriously. This was a good awful idea. We are going to return to an English only internet because everything else will be untrustable.

  7. Old news by sgunhouse · · Score: 3

    I remember this was a big deal - what, 10 years ago. Various desktop browsers implemented features to make the real URL of websites more obvious and then a variety of TLDs were certified as not allowing such domain name spoofing. Everything old is new again, huh?

    1. Re:Old news by mcswell · · Score: 3, Informative

      Right. Here's an article on the topic (and a solution) dated *2011*: https://www.symantec.com/conne.... Or read about it in the Wikipedia, with references going back to *2002*: https://en.wikipedia.org/wiki/....

      I would hazard a guess that every one of those "8,000 separate characters that could be abused to confuse people" has been known for a least a decade. News my eye.

  8. Yup by Trogre · · Score: 2

    Never saw that coming.

    Not at all.

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    1. Re:Yup by viperidaenz · · Score: 2

      I googled how to disable IDN in browsers and it returned an article from 2005 about Firefox disabling support for IDN due to phishing concerns
      https://news.netcraft.com/arch...
      Netcraft confirmed it.

  9. disable idn in your browser... by Anonymous Coward · · Score: 3, Informative

    in firefox's about:config page

    set network.IDN_show_punycode to true

    to force firefox always use the punycode, e.g:
    https://www.xn--80ak6aa92e.com...

    good write-up here (where the above example, which looks like 'www.apple.com' comes from):

    https://www.xudongz.com/blog/2...

  10. Dear browser makers by viperidaenz · · Score: 4, Insightful

    Give an option to disable the display of IDN's. Instead display the "Punycode" translation of the name.
    Better yet, default that for English and any other language that doesn't require non-ascii characters.

    1. Re:Dear browser makers by Anonymous Coward · · Score: 3, Informative

      In Firefox:

      1. about:config

      2. network.IDN_show_punycode set as "true"

      This will force the display of the “raw” punycode version of internationalized domain names, with the xn- prefix so it's obvious.

      http://kb.mozillazine.org/Network.IDN_show_punycode

      It's crazy to browse without setting this true, unless you want people to spoof homographic punycoded URLs in phising attacks on your browser.

  11. Is there a use case for mixed-alphabet domains? by fuzzyfuzzyfungus · · Score: 2

    I can understand the logic behind adding support for characters that weren't necessarily a priority back when the internet was a DARPA and some mostly anglophome universities project; but are there any non-scam/amusing novelty use cases for mixed alphabet domain names?

    I ask in sincere curiosity. With the possible exception of non-latin alphabets used alongsiide hindu-arabic numerals; I can't think of any situations where a human natural language is written such that it would use domain nes that are a mixture of multiple alphabets from a Unicode perspective(and, if there were such a language, it would arguably be on Unicode to fix that by assigning the necessary codepoints to the alphabet currently being cobbled together out of several: since Unicode is about glyphs rather than fonts the fact that the same symbol is used doesn't make it the same thing for Unicode purposes, as with all the Greek letters that get one codepoint as mathematical symbols and another as Greek letters, or the visually identical overlaps between Latin and Cyrillic that get coded as completely distinct things because they are.); but what I don't know about linguistics and contemporary natural language usage is very much not an impressive arguement.

    Are there any legitimate/expected use cases; or should a domain name cobbled together from multiple alphabets be treated as deeply suspicious in essentially all cases?