Saturday, January 2, 2010

Non-Latin Character Website Domain Addresses Could Become a Serious Phishing Problem

ICANN allowing non-Latin character website domain addresses (read also) could become a serious phishing hazard. The problem comes in with how different language scripts are rendered in browsers. Different combinations of letters from other scripts could appear as a plain English domain name. Clicking on a link could bring you to a site where the domain name appears to be PayPal but is actually just a phishing site designed to steal your username and password. There is a way to protect yourself even if you are not 'tech-savvy'. All you have to do is manually type in the domain name to get to the site and not rely on a link to get you there. This holds true even if the link is from someone you trust because hackers/phishers often use compromised accounts to attack that person's friends and family.

"The Times Online article uses PayPal — already a frequent phishing target — as an example.

If the domain, created using Cyrillic scripts “” was registered, the way that Unicode-browsers will actually render that domain in latin is as “” In theory, phishers could pass around that link and set up a fake version of the PayPal site to harvest logins and credit card data.

I’ve made this graphic for even better illustration:

Pretty scary, no? As of right now, ICANN hasn’t instituted any policies of trying to protect these kinds of situations, meaning it might be that much more difficult for even normally cautious users to avoid being scammed. Of course, a certain amount of the success of these scams is determined by how well different mail and browsing programs handle Unicode. However, most modern browsers and operating systems have strong Unicode support, which makes deciphering the differences that much more difficult.


No comments:

Post a Comment

Related Posts with Thumbnails

Like what you read; Subscribe/Fan/Follow