Scammers Abuse Multilingual Domain Names (bbc.com) 129
Cyber-criminals are abusing multilingual character sets to trick people into visiting phishing websites. BBC: The non-English characters allow scammers to create "lookalike" sites with domain names almost indistinguishable from legitimate ones. Farsight Security found scam sites posing as banks, loan advisers and children's brands Lego and Haribo.
Smartphone users are at greater risk as small screens make lookalikes even harder to spot. The Farsight Security report looked at more than 100 million domain names that use non-English character sets -- introduced to make the net more familiar and usable for non-English speaking nations -- and found about 27% of them had been created by scammers. It also uncovered more than 8,000 separate characters that could be abused to confuse people.
Farsight founder Paul Vixie, who wrote much of the software underpinning the net's domain names told the BBC: "Any lower case letter can be represented by as many as 40 different variations."
Farsight founder Paul Vixie, who wrote much of the software underpinning the net's domain names told the BBC: "Any lower case letter can be represented by as many as 40 different variations."
Farsight Security (Score:5, Funny)
small screens make lookalikes even harder to spot....Farsight Security
Yes, this does sound like a job better suited for Nearsight.
Re: (Score:1)
Hindsight?
Re:Farsight Security (Score:5, Insightful)
Re: (Score:1)
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Off-topic I know, but what does "APK" stand for?
Re: (Score:1)
Re: (Score:2)
Why is some AC being taken in by a poseur?
ProTip/1: If you see *two* UIDs next to someone's name, it's a pretty good bet that one of them is fake.
ProTip/2: If you don't see a /. icon next to the poster's name, the poster is not a Slashdot employee.
Also, one can easily determine that the real BeauHD's UID is 4450103 [slashdot.org].
Unicode is a mess (Score:5, Insightful)
Saw this coming years ago. Unicode assignment is a god awful mess, made worst now that nearly every single noun has an emoji version. Pity that we're probably stuck with it until the end of humanity.
Re:Unicode is a mess (Score:5, Interesting)
Saw this coming years ago.
Indeed. The security ramifications were immediately pointed out by many people as soon as this idiotic proposal was made. But it went forward anyway so they could sell new domain names, and force legitimate companies to spend even more to buy up every possible permutation of their names.
The only good solution now is for browsers to block these domains, or at least throw up a flashing SCAM warning whenever one is accessed.
Re:Unicode is a mess (Score:4, Interesting)
Somehow I get the feeling that unicode isn't the real problem.
It seems oddly specific to allow companies to register their name as a domain but only if their name consists of a very limited number of characters.
Even if we get rid of unicode we still have the problem with sans-serif fonts.
slashdot.org and sIashdot.org can be hard to tell apart.
If your response is that you can choose to use a serif font then you can also choose to use a font that shows unicode as boxes or use a browser that warns you when going to a domain that has odd letter in the name.
One way to reduce the problem could have been to not have *.com or *.org addresses at all. Let everyone register their domains under whatever country they belong to. That way you can choose to not trust *.su addresses.
The underlying problem seems to be that we put our trust in a name.
Even without intentional name collisions for the purpose of scamming we still get unintentional name collisions with organizations that have the same name but in completely different fields. (Or similar fields but different regions.)
Re:Unicode is a mess (Score:5, Informative)
slashdot.org and sIashdot.org can be hard to tell apart.
I actually had to copy that into Notepad to see what you did. Well played.
Re: (Score:2)
Even if we get rid of unicode we still have the problem with sans-serif fonts. slashdot.org and sIashdot.org can be hard to tell apart.
That's an understatement. Without a microscope, in this font 'l' (lowercase L) and 'I' (uppercase i) are indistinguishable.
Microsoft fixed this (Score:2)
I use there font Verdana where possible -- the letters all look different.
Th lI is bullshit that every font designer believes in.
Re: (Score:2)
Why are you assuming that people have one country? My wife and I cover three nationalities and citizenships, and stepping out one degree of relationship further, the family covers five nationalities. I work in 7 countries on a regular basis, three of which would justify me using a .EU domain in addition to the national ones and, of course, .INT
And I have an email address in goatse.cx - Christmas Island, in the Indian Ocean. Which I
Re: (Score:2)
Which means the browser makers need to constantly check for new permutations, otherwise they'll be throwing up so many SCAM warnings whenever you access a localized URL that people stop caring about the warnings, much how it happened with UAC.
How is the browser supposed to know that when you go to bank.corn you actually do mean BANK.CORN and not BANK.COM?
Re: (Score:2)
Most of the world doesn't speak English. It's unreasonable to expect them not to have domain names in their own language.
The solution should be really simple. Just flag up when a domain name contains characters that are not in the user's selected language. The problem is that Unicode makes that rather difficult, because it's badly designed. It's possible, just unnecessarily hard.
Re: (Score:2)
That is a bad solution in the first place just giving false positives. Why should a Russian be warned when accessing slashdot for instance?
The "no mixed scripts in a word" design suggested earlier in this sub-thread would cover most problems. Not allowing scammers to register obvious scam sites would fix most others.
Re: (Score:2)
or maybe flag the address if it has a mix of latin and non latin characters in the domain??
possible text of warning "Please be advised that this address contains abnormal characters for your region please verify the spelling. [insert did you mean "%domain with all latin characters%" ??]
Re: (Score:3)
Re: (Score:2)
Can't but agree. The emoji crap is just the flashing neon sign over the failed wreck.
Don't be stupid. (Score:4, Insightful)
Safe use of the Internet requires digital "street smarts."
One should not need to be told that it is unsafe to click links in emails, or that virus scanners don't alert you via popups on a web page. Understanding of the basics of how these things work make it obvious, and make safe browsing practices just as obvious.
The industry has bent over backwards to grant access to swarms of people too stupid to be safe online.
So, the scammers take them for all they are worth.
Personally, I consider stupidity to be a vice (and largely a choice), so I don't have much sympathy for people who fall for this sort of thing.
Re: (Score:2)
What really frustrates me is that my bank uses "secure" messages.
It requires me to download an HTML file, open it, and then login to a not my bank website.
Except, my bank has a message system right in their main website (I assume the loans are actually written by a different company). So every customer that applies for a loan is being taught bad email behavior, and using a less secure system (my bank makes efforts to make sure I know it's them (click on the correct image of a few shown to login, if the corr
Re: Don't be stupid. (Score:1)
I refuse to do any banking over the Internet. If I need to know a balance I go to an ATM or a real human teller. I get printed statements every month in the mail.
Anybody can refuse web banking. It's not difficult.
Re: (Score:1)
True, I could use faxes instead of email, or snail mail.
Or pay extra interest and not shop around as much on a mortgage.
I'm unconvinced that faxes through a third party (that I'm sure go to the banks email system) or snail mail are more secure than my bank account's website, it's not like identity theft from mail has never happened.
I'm pretty content with my bank's security, it's the separate website that I don't even think is them that requires downloading an HTML file for secure messages that frustrates m
Re: (Score:2)
I refuse to do any banking over the Internet. If I need to know a balance I go to an ATM or a real human teller. I get printed statements every month in the mail.
Anybody can refuse web banking. It's not difficult.
Not sure if you include "credit card payments" here but it's becoming impossible to use the internet without a credit card and an email address. Trusting trust --if you want to have some kind of paypal account then you need to provide a credit card (or a bank account IIRC --and there's no offline way of populating that, so you're effectively doing banking by proxy)
But I digress. The reason I replied was to remind you that no matter what you do, your information will be leaked --if it's not YOU, it will be o
Re: (Score:2)
One should not need to be told that it is unsafe to click links in emails, or that virus scanners don't alert you via popups on a web page. Understanding of the basics of how these things work make it obvious, and make safe browsing practices just as obvious.
Not always as obvious. If some company you are connected to, also those who should be concerned with security, sends a text/plain e-mail with a URL for you to copy and paste, it should be fine, right? But how can I be sure that not some employer of the company has copied a look-alike phishing URL from Twitter or wherever into the e-mail?
I agree that almost all kinds of scams are easy to be detected by anyone with "digital street smarts", but in some cases, like Unicode URLs from the article, it is not obv
Re: (Score:2)
Re: (Score:2)
Most of the scammed ARE embarrassed to go to the police, actually. For every one you hear in the news, there are probably dozens of people who simply walked away after losing thousands of dollars in one of the many scams.
Heck, some of them who go to the police make up a story to go along with it. Just last week, a woman claimed to receive a call from the CRA (Canada Revenue Agency, aka the Canadian [www.cbc.ca]
Unicode doesn't belong in a URL... (Score:4, Insightful)
Re:Unicode doesn't belong in a URL... (Score:5, Insightful)
They were thinking that not the entire world is English speaking.
Re: Unicode doesn't belong in a URL... (Score:2)
Re: (Score:2)
People got along just fine with ASCII back in the days.
Yeah. I look around at American English speakers and see that ASCII was just fine, so what was the problem?
Yes I am mocking your ignorance. People did NOT get along just fine in the ASCII days. Simply using a computer was an incredibly painful event for those not using the Latin alphabet. Hell it was a problem for those using derivations of the Latin alphabet that weren't uniquely English.
Re: Unicode doesn't belong in a URL... (Score:2)
Re: (Score:2)
Indeed. Now feel free to translate all the companies you know into a foreign language you can't understand and into a keyboard with which you're not used to typing.
Just because you're talking about a subset of computing doesn't make it any less of a distinction without a difference.
Re: (Score:2)
Re: Unicode doesn't belong in a URL... (Score:2)
Re: (Score:2)
People got along just fine before the USofA existed and before English was even spoken as well. So what is your point?
So we should adopt Nordic runes Egyptian hieroglyphs then? The point is that we need to adopt some character set for URLs and the Latin character set is the best candidate - better than Unicode. As someone else said, we are talking about the name of the URL, not the content of the page. I'm fine with eg Japanese readers reading Japanese literature in Japanese characters.
But you will find that Japanese who are using the Web are quite capable of recognising Latin characters well enough to recognise an URL t
Re: (Score:2)
Ook ook grok tok!
Re: (Score:2)
And that domain names should not be used for authentication. If you want microsoft.com you don't visually inspect the address bar, you validate the certificate with a trusted issuer.
Re: (Score:2)
But would anyone be able to get a certificate with a look-alike domain name signed to the name "Microsoft Corp." or similar?
Re: (Score:2)
Anyone can get a cert issued to whoever they want as long as they control the domain (web serving, DNS or email).
Extended validation certs not so much. But I would think a scammer could get an EV cert issued to something that looks convincingly similar, too.
Re: (Score:2)
Company names are generally transliterated: Hyundai, Samsung, Toyota, ...
You provide additional evidence that you really don't know much about languages or writing systems, but I need to get some work done today, so I'll leave spotting those to the interested and discerning reader.
Re: (Score:2)
Transliteration is fine, but I can't find Peking or Bombay on a map any more!
Re: (Score:2)
Let's return to ASCII-only URLs and have the browsers display the subdomain, domain name and the TLD in uppercase and have them use a constant font across all platforms that makes it impossible to mistake an uppercase letter "O" with the number "0" (zero).
Re: (Score:2)
Re: (Score:2)
Most of the world doesn't speak English, why do you think something that was international from the beginning (the web - not ARPANET) should be limited to English?
Idiotic crap.
Re: (Score:2)
That 1 looks like I ?
Re: (Score:2)
Re: (Score:2)
well the old farts put the identical looking characters into the set for to be used for domain names.
how the fuck are you supposed to even know that? I mean for non techies and even techies.
I mean, Microsoft.com is easy enough to tell from Mlcrosoft.com. but if it looks the same, how would you know? you're not going to be hand writing every hyperlink again now are you?
why is there not a setting. (Score:2, Interesting)
Browsers should have you choose a language and not allow sites in other languages (in the url) by default. You go in somewhere and say allow everything or populate a list of acceptable languages. It should at least give a popup.
Re: (Score:1)
The net would be great again.
Less EU user backtalk. A pop up to guide EU users back to EU approved Francophone sites.
It's not unicode - DNS uses punycode (Score:5, Informative)
For the non-English, you're f#@ked. Seriously. This was a good awful idea. We are going to return to an English only internet because everything else will be untrustable.
Re: (Score:1)
Parent link will help you know if you need to change your punycode setting.
Firefox users: If your mouse-over shows the look of disapproval emoticon, then can go to your about:config and change network.IDN_show_punycode to true .
p.s. Sorry Chrome users, I don't know what you need to do. Maybe someone else can post the answer for Chrome?
Re: (Score:1)
Older versions displayed slashdot.org [xn--sashdot-9hb.org] as IDN, newer version only punycode. (I wasn't able to get the U+013C LATIN SMALL LETTER L WITH CEDILLA [decodeunicode.org] character through the comment system)
And .org domains have more strict registry rules for example then .com, but there are risky domains even in .org namespace.
You can play on dom.****.com [xn--enea.com] with some tlds and allowed scripts.
Re: (Score:1)
No reputable CA should be signing EV certs with punycode that looks like English words.
Let's Encrypt will happily do it. Because certs only validate that you're connecting to a server linked to the same people that own the domain. And unless you want to teach people which CAs to trust and which ones to be unsure about, this is not the answer.
Re: (Score:2)
They are no less trustworthy than any other registrar offering domain verified certificates. Given the short lifespan of the certs, they're slightly more secure.
Re: (Score:2)
Let's Encrypt will happily do it.
Lets Encrypt does not and will not issue EV certificates.
Re: (Score:2)
Missed two letters. Average end user doesn't even notice when a major site isn't EV, so it makes little difference.
Re: (Score:2)
Average end user doesn't even notice when a major site isn't EV
It is literally the difference between a greenlock, and half the URL bar lit up in bright green displaying the full registered company name.
It is a far more obvious change than an s in the URL, or a tiny colour. In some browsers an EV certificate will replace the entire URL. This is about the most obvious thing available in terms of informing users about encryption that we have come up with. Users have historically taken on the in retrospect incorrect advice of looking for the encryption lock leading to fra
Re: (Score:2)
always set your browser to display the raw punycode and not the unicode points
Is that "network.IDN_show_punycode" in the about:config of Firefox ?
Re: (Score:2)
For the less technical but still English speaking you should be fine as long as you only visit sites with HTTPS. No reputable CA should be signing EV certs
Okay stop right there. Is that advice there? Do you go tell your grandma that HTTPS is safe? I think what you meant to say is that you should examine the EV certificate of every site you want to hand credentials to.
I just realised... are we even on Slashdot or is some MITMer stealing my Slashdot login on this fraudulent lookalike site?
Old news (Score:4)
Re:Old news (Score:4, Informative)
Right. Here's an article on the topic (and a solution) dated *2011*: https://www.symantec.com/conne... [symantec.com]. Or read about it in the Wikipedia, with references going back to *2002*: https://en.wikipedia.org/wiki/... [wikipedia.org].
I would hazard a guess that every one of those "8,000 separate characters that could be abused to confuse people" has been known for a least a decade. News my eye.
Re: (Score:2)
You cannot have a browser that doesn't leak memory because of the complexity of "the DOM". Websites are insecurable because of the way html is written and driven.
Abandoning XHTML for html5 (anything goes edition) was maybe the worst move in w3c history. And I'm saying that as someone who doesn't really like XML.
Wasn't really W3C's choice to make (Score:2)
W3C didn't really have much choice in the matter. They rejected to the two proposals that were later merged to become HTML5. The browser vendors and others went off and formed WHATWG to develop HTML5, saying the would not implement XHTML 2.0.
The mistake, or lack of foresight, was made much earlier, in the design of XHTML 1.0. That required a rewrite that wasn't backward compatible, XHTML 2.0, which didn't meet the needs of the way the web was evolving.
Yup (Score:3)
Never saw that coming.
Not at all.
Re: (Score:3)
I googled how to disable IDN in browsers and it returned an article from 2005 about Firefox disabling support for IDN due to phishing concerns
https://news.netcraft.com/arch... [netcraft.com]
Netcraft confirmed it.
disable idn in your browser... (Score:3, Informative)
in firefox's about:config page
set network.IDN_show_punycode to true
to force firefox always use the punycode, e.g:
https://www.xn--80ak6aa92e.com... [xn--80ak6aa92e.com]
good write-up here (where the above example, which looks like 'www.apple.com' comes from):
https://www.xudongz.com/blog/2... [xudongz.com]
"any" (Score:2)
Mixing upper and lower thresholds in one sentence - please stop doing that. That's just like "Save up to 95% on select in-store items!" It's completely meaningless other than to attempt to grab attention. It's just abusing a typically small number of outliers to suggest a much broader fact.
Dear browser makers (Score:5, Insightful)
Give an option to disable the display of IDN's. Instead display the "Punycode" translation of the name.
Better yet, default that for English and any other language that doesn't require non-ascii characters.
Re: (Score:3, Informative)
In Firefox:
1. about:config
2. network.IDN_show_punycode set as "true"
This will force the display of the “raw” punycode version of internationalized domain names, with the xn- prefix so it's obvious.
http://kb.mozillazine.org/Network.IDN_show_punycode
It's crazy to browse without setting this true, unless you want people to spoof homographic punycoded URLs in phising attacks on your browser.
Is there a use case for mixed-alphabet domains? (Score:3)
I ask in sincere curiosity. With the possible exception of non-latin alphabets used alongsiide hindu-arabic numerals; I can't think of any situations where a human natural language is written such that it would use domain nes that are a mixture of multiple alphabets from a Unicode perspective(and, if there were such a language, it would arguably be on Unicode to fix that by assigning the necessary codepoints to the alphabet currently being cobbled together out of several: since Unicode is about glyphs rather than fonts the fact that the same symbol is used doesn't make it the same thing for Unicode purposes, as with all the Greek letters that get one codepoint as mathematical symbols and another as Greek letters, or the visually identical overlaps between Latin and Cyrillic that get coded as completely distinct things because they are.); but what I don't know about linguistics and contemporary natural language usage is very much not an impressive arguement.
Are there any legitimate/expected use cases; or should a domain name cobbled together from multiple alphabets be treated as deeply suspicious in essentially all cases?
hmm (Score:2)
Not exactly new news. (Score:2)
See the uproar over the {U+0262}oogle.com domain a couple of years ago. The merry Russian prankster doing that was just playing "Hey! Look what I did! Ha Ha Ha!" with it, whoever he could get to click on it, but it was certainly obvious then that it could be used for nefarious purposes.