« Spammer's Translation Does Not Compute | Main | Random Words Add Punch! »

February 07, 2005

No sooner do I finish a Dispatch posting about the dangers of clicking links in spam than I read the details of an exploit that invalidates a lot of the advice about phishing sites. For once, however, the exploit affects browsers other than Microsoft Internet Explorer.

Here is the background:

Acknowledging that the world does not all speak English or use Western characters in their languages, Internet standards bodies developed a way that allows other character sets to be used in domain names. The idea is to make a domain for someone in, say, Greece, more comfortable with a Greek domain name, rather than using a foreign (i.e., English) character set.

It turns out that some characters in some non-English alphabets look like English characters when the computers or software equipped with those character sets display them on the screen. I'm speaking beyond the old trick of substituting zeros for uppercase Os. Modern browsers equipped with this International Domain Name (IDN) capability display the rendered version of the URL in the Address box, as well as in a Web page body and status box during a mouse rollover of a link.

For a scary (but harmless) demonstration of this technique, use a browser such as Firefox, Netscape 7.x, Safari, or Opera to visit a special page set up at the Schmoo Group. There you'll be able to click on links purporting to take you to Paypal—including one that links to a secure page. If you are running browsers other than IE, the Address box will show what appears to be "paypal.com" (including a real secure lock icon in the https version) but in actuality is "xn--pypal-4ve.com", the English equivalent of the specially coded URL.

What does this all mean?

Although I haven't yet seen examples of this exploit used in phishing scams, it may turn up. It's frightening to think that unsuspecting phishing victims will not be aware that the entire process—bogus email leading to a bogus site bearing all the right hallmarks on the surface—is under control of scammers. The factor working against wide use of this exploit is that most of the world uses IE, which doesn't support the new IDN standard in either Windows or Mac versions.

(Lots of Web developers slam Internet Explorer because it doesn't support enough standards, but this time it escapes an exploit for that very reason. Oh, the irony!)

If you take the advice I give you in Spam Wars and inspect suspicious messages correctly, you would spot that something is wrong with the URL before you ever clicked it. In the case of the PayPal spoof above, the source code shows the link destination as being "http://www.pаypal.com/", a sure sign that something stinks.

This problem appears to be not so much a browser bug, as a flaw in a standard (known as early as 2001). As some users flee IE/Windows to escape vulnerability after vulnerability, they find themselves merely jumping from one frying pan into another. Shields up!