<blockquote>Beware of URL Impersonation: How Scammers Trick You with Lookalike Letters</blockquote>
Imagine you're visiting what you believe to be your bank's website. You verify the web address in the URL bar, and it appears to be exactly as expected. However, you're actually on a fake website created by scammers. This fake website looks identical to your bank's website, but it's designed to trick you into revealing sensitive information such as your password, credit card number, or other personal data.
This exact attack is not only possible but has been demonstrated by a security researcher using apple.com. Surprisingly, this attack cannot be spotted with the human eye by looking at the link. The URL clearly shows "apple.com," but instead of the sleek, polished brand website, you'll be greeted, luckily, by a friendly warning message from the researcher instead of a scammer. The link to the researchers attack demonstration and further information can be found in the video description.
[bumper : How the scam works]
Scammers create fake websites that look and function exactly like the real ones. But for their scam to work, they also often create URLs that resemble those of well-known brands to trick users into being careless. They use "lookalike letters" called "homoglyphs" from different languages to replace English letters and create "lookalike words" called "homographs". For example, they might use a Greek "a" instead of an English "a" to create a fake homograph that makes the browser render "apple.com". However, instead of the legitimate website, users will be visiting a domain that the attacker controls. This is how they deceive users and trick them into revealing sensitive information such as their passwords and 2FA logins.
Fortunately, you can avoid falling victim to this attack. Internal to the browser, the plain text version of apple.com is converted by the browser into a strange letter salad, called punycode, because URLs don't allow foreign characters. If your browser would show this punycode you would clearly see it's not the real apple.com (<nowiki>https://www.xn—80ak6aa92e.com</nowiki>). However, many browsers unfortunately, for your convenience and at the expense of your security, do not display you this punycode.
[bumper: Defending yourself]
If you come across a suspicious URL in an email, chat, or website, don't click on it. Instead take precautions.
One. You could simply type the URL into the address bar yourself. This might be inconvenient, but it's extremely safe.
[ In the video, show the URL bar and demonstrate typing the URL by hand. ]
Two. You can also change browser settings to always show punycode, but this only works well for Latin languages and not international audiences.
[ Show how to change the browser settings to show punycode in Firefox. ]
Three. You can copy and paste the URL and can add another layer of security by sanitizing the copied URL first before pasting it. What you think you copied might not be what you really copied, depending on your browser. To learn how to sanitize URLs and protect yourself from hidden text attacks, check out our previous video.
[ show previous video and link https://www.youtube.com/watch?v=6nHufztdkUI ]
In summary, URL impersonation is a common tactic used by scammers to steal sensitive information from unsuspecting users. To protect yourself, remember to:
* Manually type URLs into the address bar: This is a safer way to access websites.
* Enable punycode-only in your browser settings: This will prevent homoglyphs from being used in URLs to deceive you. Note that this may not work well for non-Latin languages.
* Alternatively Right-click the URL, copy it, and sanitize it to make sure it's safe before pasting it into the address bar.
How to defend yourself from this attack is also documented in our wiki.
[ scroll through https://www.kicksecure.com/wiki/Social_Engineering#IDN_Homograph_Attacks ]
To learn more about how to protect yourself from this and other attacks, take a look at our wiki at https://www.kicksecure.com/wiki/Documentation. Stay vigilant and be safe!
* fake apple.com security researcher demonstration website: https://www.xn--80ak6aa92e.com/
* https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html
* https://www.xudongz.com/blog/2017/idn-phishing/
* https://forums.whonix.org/t/very-hard-to-notice-phishing-scam-firefox-tor-browser-url-not-showing-real-domain-name-homograph-attack-punycode/8373
* https://twitter.com/Whonix/status/1189513958488711169
* https://mothereff.in/punycode
* https://www.jamf.com/blog/punycode-attacks/
* https://github.com/mathiasbynens/punycode.js
* https://www.gnu.org/software/libidn/libidn2/manual/html_node/Invoking-idn2.html
* https://supertekboy.com/2020/07/15/url-impersonation-homoglyph-attacks/
* https://github.com/em-te/webextension-no-homographs
phishing,scam,scammer,homoglyph,homograph,homoglyph attack,homograph attack,url impersonation,lookalike letters,unicode,punycode
or create an account