Phear of Phishing

phishing, idn


The first image shows a supposedly correct punycode notation, the second displays something that is looking like punycode but then again it's not. The first dash is actually the unicode glyph for the En dash. Even worse, if you quickly type two normal dashes on iOS11 they are automatically replaced by the En dash. So I wonder how many people would not only miss that one but actively fall into this trap. And if I would be out spear phishing one victim is all it takes.

Yes, this wouldn't be a viable phishing campaign as other browsers like e.g. firefox are transliterating xn– into xn\– but don't feel too safe already.

Let's say iOS11 would also transliterate the above example into punycode thus obviously showing that something is very phishy. But imagine all the non English folks that would like to use their language naturally without the need to convert anything to 7-bit ASCII. They'd be trained to see punycode everywhere and so we open the door for an old attack: typosquatting.

I don't think a lot of people would spot the difference between xn\– and xn\– (do you!?) and the like as in most fonts the lower case ell and upper case i are pretty much homoglyphs. Without the involvement of unicode at all. I have not done any tests but my gut tells me that typosquatting punycode domains will be even more effective as my mom can visibly connect to … erm … paypal. But she would never make a connection from xn\– to tᴏ.com, or was it xn\– ;-)

Yes, phishing is a problem. But it is a psychological and not a technological problem. I'd also like to disagree w/ Apple in classifying all of the above as addressbar spoofing as nothing is being spoofed. To me, this is just a fancy form of typosquatting. Converting all of unicode to punycode is not going to help, only converting confusables is also not going to help.

Sadly, I can't imagine anything that will get us out of this mess besides rolling IDN back which seems to be more on the extreme side of things. And I think humanity would still be susceptible to phishing.