Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT

Scammers Abuse Multilingual Domain Names (bbc.com) 129

Cyber-criminals are abusing multilingual character sets to trick people into visiting phishing websites. BBC: The non-English characters allow scammers to create "lookalike" sites with domain names almost indistinguishable from legitimate ones. Farsight Security found scam sites posing as banks, loan advisers and children's brands Lego and Haribo. Smartphone users are at greater risk as small screens make lookalikes even harder to spot. The Farsight Security report looked at more than 100 million domain names that use non-English character sets -- introduced to make the net more familiar and usable for non-English speaking nations -- and found about 27% of them had been created by scammers. It also uncovered more than 8,000 separate characters that could be abused to confuse people.

Farsight founder Paul Vixie, who wrote much of the software underpinning the net's domain names told the BBC: "Any lower case letter can be represented by as many as 40 different variations."

This discussion has been archived. No new comments can be posted.

Scammers Abuse Multilingual Domain Names

Comments Filter:
  • by omnichad ( 1198475 ) on Tuesday June 26, 2018 @08:16PM (#56851096) Homepage

    small screens make lookalikes even harder to spot....Farsight Security

    Yes, this does sound like a job better suited for Nearsight.

  • Unicode is a mess (Score:5, Insightful)

    by Anonymous Coward on Tuesday June 26, 2018 @08:22PM (#56851128)

    Saw this coming years ago. Unicode assignment is a god awful mess, made worst now that nearly every single noun has an emoji version. Pity that we're probably stuck with it until the end of humanity.

    • Re:Unicode is a mess (Score:5, Interesting)

      by ShanghaiBill ( 739463 ) on Tuesday June 26, 2018 @11:26PM (#56851636)

      Saw this coming years ago.

      Indeed. The security ramifications were immediately pointed out by many people as soon as this idiotic proposal was made. But it went forward anyway so they could sell new domain names, and force legitimate companies to spend even more to buy up every possible permutation of their names.

      The only good solution now is for browsers to block these domains, or at least throw up a flashing SCAM warning whenever one is accessed.

      • Re:Unicode is a mess (Score:4, Interesting)

        by Anonymous Coward on Wednesday June 27, 2018 @01:57AM (#56851914)

        Somehow I get the feeling that unicode isn't the real problem.

        It seems oddly specific to allow companies to register their name as a domain but only if their name consists of a very limited number of characters.
        Even if we get rid of unicode we still have the problem with sans-serif fonts.
        slashdot.org and sIashdot.org can be hard to tell apart.
        If your response is that you can choose to use a serif font then you can also choose to use a font that shows unicode as boxes or use a browser that warns you when going to a domain that has odd letter in the name.

        One way to reduce the problem could have been to not have *.com or *.org addresses at all. Let everyone register their domains under whatever country they belong to. That way you can choose to not trust *.su addresses.

        The underlying problem seems to be that we put our trust in a name.
        Even without intentional name collisions for the purpose of scamming we still get unintentional name collisions with organizations that have the same name but in completely different fields. (Or similar fields but different regions.)

        • Re:Unicode is a mess (Score:5, Informative)

          by Calydor ( 739835 ) on Wednesday June 27, 2018 @03:19AM (#56852090)

          slashdot.org and sIashdot.org can be hard to tell apart.

          I actually had to copy that into Notepad to see what you did. Well played.

        • Even if we get rid of unicode we still have the problem with sans-serif fonts. slashdot.org and sIashdot.org can be hard to tell apart.

          That's an understatement. Without a microscope, in this font 'l' (lowercase L) and 'I' (uppercase i) are indistinguishable.

        • Let everyone register their domains under whatever country they belong to.

          Why are you assuming that people have one country? My wife and I cover three nationalities and citizenships, and stepping out one degree of relationship further, the family covers five nationalities. I work in 7 countries on a regular basis, three of which would justify me using a .EU domain in addition to the national ones and, of course, .INT

          And I have an email address in goatse.cx - Christmas Island, in the Indian Ocean. Which I

      • by Calydor ( 739835 )

        Which means the browser makers need to constantly check for new permutations, otherwise they'll be throwing up so many SCAM warnings whenever you access a localized URL that people stop caring about the warnings, much how it happened with UAC.

        How is the browser supposed to know that when you go to bank.corn you actually do mean BANK.CORN and not BANK.COM?

      • by AmiMoJo ( 196126 )

        Most of the world doesn't speak English. It's unreasonable to expect them not to have domain names in their own language.

        The solution should be really simple. Just flag up when a domain name contains characters that are not in the user's selected language. The problem is that Unicode makes that rather difficult, because it's badly designed. It's possible, just unnecessarily hard.

        • by Megol ( 3135005 )

          That is a bad solution in the first place just giving false positives. Why should a Russian be warned when accessing slashdot for instance?

          The "no mixed scripts in a word" design suggested earlier in this sub-thread would cover most problems. Not allowing scammers to register obvious scam sites would fix most others.

      • or maybe flag the address if it has a mix of latin and non latin characters in the domain??

        possible text of warning "Please be advised that this address contains abnormal characters for your region please verify the spelling. [insert did you mean "%domain with all latin characters%" ??]

    • Comment removed based on user account deletion
    • by Megol ( 3135005 )

      Can't but agree. The emoji crap is just the flashing neon sign over the failed wreck.

  • Don't be stupid. (Score:4, Insightful)

    by Anonymous Coward on Tuesday June 26, 2018 @08:27PM (#56851138)

    Safe use of the Internet requires digital "street smarts."

    One should not need to be told that it is unsafe to click links in emails, or that virus scanners don't alert you via popups on a web page. Understanding of the basics of how these things work make it obvious, and make safe browsing practices just as obvious.

    The industry has bent over backwards to grant access to swarms of people too stupid to be safe online.

    So, the scammers take them for all they are worth.

    Personally, I consider stupidity to be a vice (and largely a choice), so I don't have much sympathy for people who fall for this sort of thing.

    • by AvitarX ( 172628 )

      What really frustrates me is that my bank uses "secure" messages.

      It requires me to download an HTML file, open it, and then login to a not my bank website.

      Except, my bank has a message system right in their main website (I assume the loans are actually written by a different company). So every customer that applies for a loan is being taught bad email behavior, and using a less secure system (my bank makes efforts to make sure I know it's them (click on the correct image of a few shown to login, if the corr

      • I refuse to do any banking over the Internet. If I need to know a balance I go to an ATM or a real human teller. I get printed statements every month in the mail.

        Anybody can refuse web banking. It's not difficult.

        • by AvitarX ( 172628 )

          True, I could use faxes instead of email, or snail mail.

          Or pay extra interest and not shop around as much on a mortgage.

          I'm unconvinced that faxes through a third party (that I'm sure go to the banks email system) or snail mail are more secure than my bank account's website, it's not like identity theft from mail has never happened.

          I'm pretty content with my bank's security, it's the separate website that I don't even think is them that requires downloading an HTML file for secure messages that frustrates m

        • I refuse to do any banking over the Internet. If I need to know a balance I go to an ATM or a real human teller. I get printed statements every month in the mail.

          Anybody can refuse web banking. It's not difficult.

          Not sure if you include "credit card payments" here but it's becoming impossible to use the internet without a credit card and an email address. Trusting trust --if you want to have some kind of paypal account then you need to provide a credit card (or a bank account IIRC --and there's no offline way of populating that, so you're effectively doing banking by proxy)

          But I digress. The reason I replied was to remind you that no matter what you do, your information will be leaked --if it's not YOU, it will be o

    • One should not need to be told that it is unsafe to click links in emails, or that virus scanners don't alert you via popups on a web page. Understanding of the basics of how these things work make it obvious, and make safe browsing practices just as obvious.

      Not always as obvious. If some company you are connected to, also those who should be concerned with security, sends a text/plain e-mail with a URL for you to copy and paste, it should be fine, right? But how can I be sure that not some employer of the company has copied a look-alike phishing URL from Twitter or wherever into the e-mail?

      I agree that almost all kinds of scams are easy to be detected by anyone with "digital street smarts", but in some cases, like Unicode URLs from the article, it is not obv

    • Many scams involve not only stupidity on the scammee's side, but also greed and dishonesty. The classical Nigerian scam is a good example - to fall for it you have to stupid, greedy and dishonest, all at the same time. It amazes me that so many who fall for that kind of scam are not utterly embarrassed to report it to the police. Well, I seem to recall that main characteristic of Jordan Belfort, the so-called Wolf of Wall Street, is his complete and absolute lack of shame.
  • by ELCouz ( 1338259 ) on Tuesday June 26, 2018 @08:35PM (#56851164)
    Seriously...what they where thinking?!?!
    • by darkain ( 749283 ) on Tuesday June 26, 2018 @09:53PM (#56851366) Homepage

      They were thinking that not the entire world is English speaking.

      • People got along just fine with ASCII back in the days. Unicode is asking for trouble in a URL.
        • People got along just fine with ASCII back in the days.

          Yeah. I look around at American English speakers and see that ASCII was just fine, so what was the problem?

          Yes I am mocking your ignorance. People did NOT get along just fine in the ASCII days. Simply using a computer was an incredibly painful event for those not using the Latin alphabet. Hell it was a problem for those using derivations of the Latin alphabet that weren't uniquely English.

          • You are aware I am talking about the URL and not the page text ....right? If you could get off your high horse once in a while you would see using unicode / punycodes in a URL are a mess. I use latin characters the time.
            • Indeed. Now feel free to translate all the companies you know into a foreign language you can't understand and into a keyboard with which you're not used to typing.

              Just because you're talking about a subset of computing doesn't make it any less of a distinction without a difference.

        • Comment removed based on user account deletion
          • If you can't read my OP title and reply accordingly. You are a truly retarded troll. Internet was invented with ASCII in mind.
          • People got along just fine before the USofA existed and before English was even spoken as well. So what is your point?

            So we should adopt Nordic runes Egyptian hieroglyphs then? The point is that we need to adopt some character set for URLs and the Latin character set is the best candidate - better than Unicode. As someone else said, we are talking about the name of the URL, not the content of the page. I'm fine with eg Japanese readers reading Japanese literature in Japanese characters.

            But you will find that Japanese who are using the Web are quite capable of recognising Latin characters well enough to recognise an URL t

          • Ook ook grok tok!

      • by AmiMoJo ( 196126 )

        And that domain names should not be used for authentication. If you want microsoft.com you don't visually inspect the address bar, you validate the certificate with a trusted issuer.

    • by Megol ( 3135005 )

      Most of the world doesn't speak English, why do you think something that was international from the beginning (the web - not ARPANET) should be limited to English?

      Idiotic crap.

  • by Anonymous Coward

    Browsers should have you choose a language and not allow sites in other languages (in the url) by default. You go in somewhere and say allow everything or populate a list of acceptable languages. It should at least give a popup.

    • by AHuxley ( 892839 )
      Think of the fun of sites with users from approved 5 eye nations and Ireland.
      The net would be great again.
      Less EU user backtalk. A pop up to guide EU users back to EU approved Francophone sites.
  • by FeelGood314 ( 2516288 ) on Tuesday June 26, 2018 @09:48PM (#56851348)
    DNS entries are ASCII. Punycode is a way to put unicode in ASCII in a way that is sort of mostly human readable. For an English speaker (AKA ASCII character users) always set your browser to display the raw punycode and not the unicode points. For the less technical but still English speaking you should be fine as long as you only visit sites with HTTPS. No reputable CA should be signing EV certs with punycode that looks like English words. Ones that do will quickly be removed from the browsers.

    For the non-English, you're f#@ked. Seriously. This was a good awful idea. We are going to return to an English only internet because everything else will be untrustable.
    • No reputable CA should be signing EV certs with punycode that looks like English words.

      Let's Encrypt will happily do it. Because certs only validate that you're connecting to a server linked to the same people that own the domain. And unless you want to teach people which CAs to trust and which ones to be unsure about, this is not the answer.

      • Let's Encrypt will happily do it.

        Lets Encrypt does not and will not issue EV certificates.

        • Missed two letters. Average end user doesn't even notice when a major site isn't EV, so it makes little difference.

          • Average end user doesn't even notice when a major site isn't EV

            It is literally the difference between a greenlock, and half the URL bar lit up in bright green displaying the full registered company name.

            It is a far more obvious change than an s in the URL, or a tiny colour. In some browsers an EV certificate will replace the entire URL. This is about the most obvious thing available in terms of informing users about encryption that we have come up with. Users have historically taken on the in retrospect incorrect advice of looking for the encryption lock leading to fra

    • by dargaud ( 518470 )

      always set your browser to display the raw punycode and not the unicode points

      Is that "network.IDN_show_punycode" in the about:config of Firefox ?

    • For the less technical but still English speaking you should be fine as long as you only visit sites with HTTPS. No reputable CA should be signing EV certs

      Okay stop right there. Is that advice there? Do you go tell your grandma that HTTPS is safe? I think what you meant to say is that you should examine the EV certificate of every site you want to hand credentials to.

      I just realised... are we even on Slashdot or is some MITMer stealing my Slashdot login on this fraudulent lookalike site?

  • by sgunhouse ( 1050564 ) on Tuesday June 26, 2018 @09:50PM (#56851352)
    I remember this was a big deal - what, 10 years ago. Various desktop browsers implemented features to make the real URL of websites more obvious and then a variety of TLDs were certified as not allowing such domain name spoofing. Everything old is new again, huh?
    • Re:Old news (Score:4, Informative)

      by mcswell ( 1102107 ) on Tuesday June 26, 2018 @10:38PM (#56851478)

      Right. Here's an article on the topic (and a solution) dated *2011*: https://www.symantec.com/conne... [symantec.com]. Or read about it in the Wikipedia, with references going back to *2002*: https://en.wikipedia.org/wiki/... [wikipedia.org].

      I would hazard a guess that every one of those "8,000 separate characters that could be abused to confuse people" has been known for a least a decade. News my eye.

  • by Trogre ( 513942 ) on Tuesday June 26, 2018 @10:04PM (#56851398) Homepage

    Never saw that coming.

    Not at all.

  • by Anonymous Coward on Tuesday June 26, 2018 @10:21PM (#56851446)

    in firefox's about:config page

    set network.IDN_show_punycode to true

    to force firefox always use the punycode, e.g:
    https://www.xn--80ak6aa92e.com... [xn--80ak6aa92e.com]

    good write-up here (where the above example, which looks like 'www.apple.com' comes from):

    https://www.xudongz.com/blog/2... [xudongz.com]

  • by v1 ( 525388 )

    "Any lower case letter can be represented by as many as 40 different variations."

    Mixing upper and lower thresholds in one sentence - please stop doing that. That's just like "Save up to 95% on select in-store items!" It's completely meaningless other than to attempt to grab attention. It's just abusing a typically small number of outliers to suggest a much broader fact.

  • by viperidaenz ( 2515578 ) on Tuesday June 26, 2018 @10:27PM (#56851458)

    Give an option to disable the display of IDN's. Instead display the "Punycode" translation of the name.
    Better yet, default that for English and any other language that doesn't require non-ascii characters.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      In Firefox:

      1. about:config

      2. network.IDN_show_punycode set as "true"

      This will force the display of the “raw” punycode version of internationalized domain names, with the xn- prefix so it's obvious.

      http://kb.mozillazine.org/Network.IDN_show_punycode

      It's crazy to browse without setting this true, unless you want people to spoof homographic punycoded URLs in phising attacks on your browser.

  • I can understand the logic behind adding support for characters that weren't necessarily a priority back when the internet was a DARPA and some mostly anglophome universities project; but are there any non-scam/amusing novelty use cases for mixed alphabet domain names?

    I ask in sincere curiosity. With the possible exception of non-latin alphabets used alongsiide hindu-arabic numerals; I can't think of any situations where a human natural language is written such that it would use domain nes that are a mixture of multiple alphabets from a Unicode perspective(and, if there were such a language, it would arguably be on Unicode to fix that by assigning the necessary codepoints to the alphabet currently being cobbled together out of several: since Unicode is about glyphs rather than fonts the fact that the same symbol is used doesn't make it the same thing for Unicode purposes, as with all the Greek letters that get one codepoint as mathematical symbols and another as Greek letters, or the visually identical overlaps between Latin and Cyrillic that get coded as completely distinct things because they are.); but what I don't know about linguistics and contemporary natural language usage is very much not an impressive arguement.

    Are there any legitimate/expected use cases; or should a domain name cobbled together from multiple alphabets be treated as deeply suspicious in essentially all cases?
  • Been going on for quite awhile, hasn't it?
  • See the uproar over the {U+0262}oogle.com domain a couple of years ago. The merry Russian prankster doing that was just playing "Hey! Look what I did! Ha Ha Ha!" with it, whoever he could get to click on it, but it was certainly obvious then that it could be used for nefarious purposes.

If you steal from one author it's plagiarism; if you steal from many it's research. -- Wilson Mizner

Working...