What website are you really on?
You might not be on the website you think you’re on. How could URL spoofing lead to phishing attacks that compromise a business’s network security?
The little green padlock next to the URL in a web browser has been a quick and easy feature to double check that a site is secure and reliable – or so most people thought. A proof of concept created by web developer Xudong Zheng shows how the website you’re on might not be the one you think.
Chrome, Firefox, and Opera users vulnerable to Unicode domain phishing attacks https://t.co/LVRoImixXf (via @DMBisson) pic.twitter.com/9uNHlNv1t9
Graham Cluley (@gcluley) April 18, 2017
If you navigate to Zheng’s fake website and look at the URL, you’ll likely see all the hallmarks of a legitimate page: the padlock, an https address and a notification assuring you that everything is on the up and up. Look at the page itself, and you’ll know right away you’re not really on the Apple website. This is an example of a particularly sneaky cyberattack strategy – URL spoofing.
Fortunately, that page is trying to illustrate a vulnerability, not take advantage of it. What is that vulnerability, and what does it mean for business network security?
How URL spoofing works
A cyberattacker could register a domain with a malicous website identical to a legitimate one.
Essentially, this sort of fake website takes advantage of punycode, a method used for representing domain names that use characters from non-Latin alphabets, such as Cyrillic. The Latin ‘a’ and Cyrillic ‘a’ might look the same to the human eye, but they are completely different under the surface – they are represented by the unicode U+0061 and U+0430, respectively. Punycode accounts for these differences while still displaying a recognisable URL.
To exploit this, a cyberattacker could register a domain, using punycode so it looks the same as a legitimate website. In Zheng’s example, the entire domain name is spelled out using Cyrillic characters that are indistinguishable from their Latin counterparts.
Browsers typically have safeguards in place to flag a URL that contains punycode from multiple alphabets. Zheng’s example gets around this protection by only using Cyrillic characters.
What’s the risk?
Rest assured, this vulnerability is either already covered or soon to be repaired in many browsers – including Apple Safari, Google Chrome, Internet Explorer and Microsoft Edge, according to a Wired report. Despite the patches, it’s crucial to stay vigilant online. Though this vulnerability has been addressed, a dedicated malicious actor could still try finding other ways to get around these safeguards. Keeping your operating system and applications up to date is one of the best ways to protect yourself.
While there are no reports that the type of URL spoofing Zheng found have been employed, they could be used as part of phishing attacks to gain users’ login credentials to key websites.
Phishing attacks are a key security concern organisations must be aware of. Telarus offers a range of network security solutions to keep your business guarded. To learn more, contact us today.