Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scammers Abuse Multilingual Domain Names (bbc.com)

Posted by msmash on from the beware dept.

Cyber-criminals are abusing multilingual character sets to trick people into visiting phishing websites. BBC: The non-English characters allow scammers to create "lookalike" sites with domain names almost indistinguishable from legitimate ones. Farsight Security found scam sites posing as banks, loan advisers and children's brands Lego and Haribo. Smartphone users are at greater risk as small screens make lookalikes even harder to spot. The Farsight Security report looked at more than 100 million domain names that use non-English character sets -- introduced to make the net more familiar and usable for non-English speaking nations -- and found about 27% of them had been created by scammers. It also uncovered more than 8,000 separate characters that could be abused to confuse people.

Farsight founder Paul Vixie, who wrote much of the software underpinning the net's domain names told the BBC: "Any lower case letter can be represented by as many as 40 different variations."

15 of 129 comments (clear)

  1. Farsight Security by omnichad · · Score: 4, Funny

    small screens make lookalikes even harder to spot....Farsight Security

    Yes, this does sound like a job better suited for Nearsight.

    1. Re:Farsight Security by BronsCon · · Score: 4, Insightful

      Look more closely...

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  2. Unicode is a mess by Anonymous Coward · · Score: 5, Insightful

    Saw this coming years ago. Unicode assignment is a god awful mess, made worst now that nearly every single noun has an emoji version. Pity that we're probably stuck with it until the end of humanity.

    1. Re:Unicode is a mess by ShanghaiBill · · Score: 4, Interesting

      Saw this coming years ago.

      Indeed. The security ramifications were immediately pointed out by many people as soon as this idiotic proposal was made. But it went forward anyway so they could sell new domain names, and force legitimate companies to spend even more to buy up every possible permutation of their names.

      The only good solution now is for browsers to block these domains, or at least throw up a flashing SCAM warning whenever one is accessed.

    2. Re:Unicode is a mess by Anonymous Coward · · Score: 4, Interesting

      Somehow I get the feeling that unicode isn't the real problem.

      It seems oddly specific to allow companies to register their name as a domain but only if their name consists of a very limited number of characters.
      Even if we get rid of unicode we still have the problem with sans-serif fonts.
      slashdot.org and sIashdot.org can be hard to tell apart.
      If your response is that you can choose to use a serif font then you can also choose to use a font that shows unicode as boxes or use a browser that warns you when going to a domain that has odd letter in the name.

      One way to reduce the problem could have been to not have *.com or *.org addresses at all. Let everyone register their domains under whatever country they belong to. That way you can choose to not trust *.su addresses.

      The underlying problem seems to be that we put our trust in a name.
      Even without intentional name collisions for the purpose of scamming we still get unintentional name collisions with organizations that have the same name but in completely different fields. (Or similar fields but different regions.)

    3. Re:Unicode is a mess by Calydor · · Score: 5, Informative

      slashdot.org and sIashdot.org can be hard to tell apart.

      I actually had to copy that into Notepad to see what you did. Well played.

      --
      -=This sig has nothing to do with my comment. Move along now=-
  3. Don't be stupid. by Anonymous Coward · · Score: 4, Insightful

    Safe use of the Internet requires digital "street smarts."

    One should not need to be told that it is unsafe to click links in emails, or that virus scanners don't alert you via popups on a web page. Understanding of the basics of how these things work make it obvious, and make safe browsing practices just as obvious.

    The industry has bent over backwards to grant access to swarms of people too stupid to be safe online.

    So, the scammers take them for all they are worth.

    Personally, I consider stupidity to be a vice (and largely a choice), so I don't have much sympathy for people who fall for this sort of thing.

  4. Unicode doesn't belong in a URL... by ELCouz · · Score: 3, Insightful

    Seriously...what they where thinking?!?!

    1. Re:Unicode doesn't belong in a URL... by darkain · · Score: 5, Insightful

      They were thinking that not the entire world is English speaking.

  5. It's not unicode - DNS uses punycode by FeelGood314 · · Score: 5, Informative

    DNS entries are ASCII. Punycode is a way to put unicode in ASCII in a way that is sort of mostly human readable. For an English speaker (AKA ASCII character users) always set your browser to display the raw punycode and not the unicode points. For the less technical but still English speaking you should be fine as long as you only visit sites with HTTPS. No reputable CA should be signing EV certs with punycode that looks like English words. Ones that do will quickly be removed from the browsers.

    For the non-English, you're f#@ked. Seriously. This was a good awful idea. We are going to return to an English only internet because everything else will be untrustable.

  6. Old news by sgunhouse · · Score: 3

    I remember this was a big deal - what, 10 years ago. Various desktop browsers implemented features to make the real URL of websites more obvious and then a variety of TLDs were certified as not allowing such domain name spoofing. Everything old is new again, huh?

    1. Re:Old news by mcswell · · Score: 3, Informative

      Right. Here's an article on the topic (and a solution) dated *2011*: https://www.symantec.com/conne.... Or read about it in the Wikipedia, with references going back to *2002*: https://en.wikipedia.org/wiki/....

      I would hazard a guess that every one of those "8,000 separate characters that could be abused to confuse people" has been known for a least a decade. News my eye.

  7. disable idn in your browser... by Anonymous Coward · · Score: 3, Informative

    in firefox's about:config page

    set network.IDN_show_punycode to true

    to force firefox always use the punycode, e.g:
    https://www.xn--80ak6aa92e.com...

    good write-up here (where the above example, which looks like 'www.apple.com' comes from):

    https://www.xudongz.com/blog/2...

  8. Dear browser makers by viperidaenz · · Score: 4, Insightful

    Give an option to disable the display of IDN's. Instead display the "Punycode" translation of the name.
    Better yet, default that for English and any other language that doesn't require non-ascii characters.

    1. Re:Dear browser makers by Anonymous Coward · · Score: 3, Informative

      In Firefox:

      1. about:config

      2. network.IDN_show_punycode set as "true"

      This will force the display of the “raw” punycode version of internationalized domain names, with the xn- prefix so it's obvious.

      http://kb.mozillazine.org/Network.IDN_show_punycode

      It's crazy to browse without setting this true, unless you want people to spoof homographic punycoded URLs in phising attacks on your browser.