• Home
  • Latest
  • Fortune 500
  • Finance
  • Tech
  • Leadership
  • Lifestyle
  • Rankings
  • Multimedia

Trendingnow

1

Egg companies made $1.22 billion in profit off a $6 carton — now they’re buying their way out of a price-fixing case with 53 million donated eggs

2

Meet the Zillennials: The luckiest micro-generation in the workforce, born between 1993 and 1998

3

Economists have found an answer to slowing cognitive decline: Avoid retiring early, study finds

1

Egg companies made $1.22 billion in profit off a $6 carton — now they’re buying their way out of a price-fixing case with 53 million donated eggs

2

Meet the Zillennials: The luckiest micro-generation in the workforce, born between 1993 and 1998

3

Economists have found an answer to slowing cognitive decline: Avoid retiring early, study finds
TechGoogle

This Google Chrome and Firefox Phishing Scam Is ‘Practically Impossible to Spot’

Robert Hackett
By
Robert Hackett
Robert Hackett
Down Arrow Button Icon
Robert Hackett
By
Robert Hackett
Robert Hackett
Down Arrow Button Icon
April 18, 2017, 2:08 PM ET
Add Fortune on Google for similar content.

Security experts are warning people about an incredibly devious scam that’s guaranteed to trip up even the most attentive Internet users.

The attack is a variety of phishing, an age-old con that involves tricking people into trusting a malicious website by directing them to a malicious link or, alternatively, into downloading a booby-trapped computer file. The hackers then steal the victims’ passwords or install malware on their computers.

This particular iteration of the ploy uses domain names, also known as web addresses, that look nearly identical to legitimate ones of well-known brands. This scam goes beyond the usual version where fraudsters dupe people into visiting, for example, a “gmail.com” knockoff like “gmail.co” (which has a different top-level domain), “gmial.com” (misspelled), or “gmai1.com” (where the number “1,” as in one, replaces the letter “l”).

Indeed, this scam is far subtler. It works like this: fraudsters are able to register domains with characters plucked from various alphabets other than the default Latin script. When displayed, it’s all but impossible to tell apart a Greek “O” from a Cyrillic “O” from a Latin “O,” for instance.

Good luck seeing the difference between a domain like “Google.com” (Latin) from “Google.com” (Cyrillic).

Get Data Sheet, Fortune’s technology newsletter

This attack is not exactly new. The scam is called an “IDN homograph attack,” and it dates back to 2001. Bruce Schneier, a cybersecurity expert who works at IBM (IBM), warned more than a decade ago about an early version of the attack mimicking PayPal (PYPL) with PayPaI, which ends in an uppercase “i” rather than a lowercase “l.”

The attack received renewed attention on Friday when Xudong Zheng, a web developer at the small software firm SliceOne, raised the alarm about a particular version of the scam in a blog post on his personal website. Zheng created an example site, “apple.com,” to spoof the legitimate “apple.com,” thus demonstrating the potential for duplicity.

Zheng’s bogus domain is actually “xn--80ak6aa92e.com.” This alphanumeric gobbledygook renders as “apple.com” in the web browser due to a tool called “punycode,” which translates characters from Unicode, an encoding standard for computers to display thousands of kinds of symbols, including ones from many different languages, into the more limited set of characters available in ASCII, another encoding standard that only contains symbols more familiar to English readers, including “A-Z,” “a-z,” 0-9,” and various punctuation marks.

Browsers use punycode to display foreign domain names in English. So “xn--80ak6aa92e.com,” which references Cyrillic letters (in Unicode), becomes “apple.com” (in ASCII).

Vulnerable web browsers include Google Chrome, Mozilla Firefox, and Opera browsers. Apple’s Safari and Microsoft’s Internet Explorer and Edge browsers are apparently unaffected. To see for yourself, copy and paste “xn--80ak6aa92e.com” into your web browser.; vulnerable ones convert to “apple.”

“I first learned about the general attack in 2011 when I purchased my first Unicode domain,” Zheng told Fortune in an email. (He said he has since forgotten what that domain name was.) The issue popped back into his mind a few months ago as he was registering a new domain,”xn--s7y.co,” which thanks to punycode renders as a single Chinese character, “短.co,” or “short” in English.

While Chrome and Firefox protect against bogus domains that mix and match letters from different writing systems, like Cyrillic and Latin, they do not protect against bogus domain names that use characters entirely from a particular language, like Cyrillic. “In many instances, the font in Chrome and Firefox makes the two domains visually indistinguishable,” Zheng said in his post.

In many cases, the only way to catch the deceit is to check a site’s SSL certificate, a digital file that cryptographically verifies a site’s identity. In Chrome you can do this by clicking the “three dots” button in the upper right hand corner of the browser window, clicking “more tools,” then “developer tools,” then selecting “security,” and finally “view certificate.”

Doing so on Zheng’s proof of concept attack site retrieves a certificate that should look like this; notice the “xn--80ak6aa92e.com.”

One of the best examples of this Unicode domain-spoofing phishing scheme was demonstrated by security researchers at WordFence, a company that creates security plugins for the blogging site WordPress. (WordFence previously warned about another recent Gmail phishing scam, which has since been fixed.)

To make the latest threat more palpable, the team created a spoof of “epic.com” that goes by—wait for it—”epic.com“. See the screenshots below showing how Chrome displays the web addresses.

The team obtained an SSL certificate, thereby granting the bogus domain a “secure” green lock icon. As a result, people might think they’re on the real website, when in fact they’re visiting a fake one.

 

 

 

 

Can you tell the difference? Didn’t think so.

The first URL displays the domain of the fake page (actually, it’s “https://xn--e1awd7f.com/,” which renders as “https://epic.com” in the browser thanks to its punycode settings), and the second shows the homepage for a real Wisconsin-based firm that develops software related to electronic health records. Even to the trained eye, the URLs appear as one and the same.

Unicode phishing attacks are practically impossible to spot – these examples are positively alarming https://t.co/ErXGlhGui2

— Alan Woodward (@ProfWoodward) April 17, 2017

Zheng reported the issue to the Chrome security team on Jan. 20, earning a bounty of $2,000 for what Google (GOOG) deemed a medium-severity bug. The Chrome security team crafted a fix on March 23. Initially aiming to deploy the patch in Chrome version 59 (now in beta, due out June 6th), the Chrome security team decided instead to roll out a patch with version 58, due out in a stable release around April 25th, according to its software development calendar.

Mozilla, on the other hand, is still debating how best to fix the problem, as you can see in this thread. Until this debate resolves and a patch is made available, users can manually change the settings in their Firefox browsers so they may more readily detect these kinds of attacks.

To do so, open the Firefox browser, enter “about:config” in the URL bar, search for “punycode,” and set the value type from “false” to “true.” (Default setting seen below.)

“It’s a really worrying problem as it makes phishing so much easier,” Alan Woodward, a security expert and professor at the University of Surrey in England, said in an email to Fortune. “These tricks make it easy for even the most cautious of us to click on a link.”

He added: “The only advice I can really offer is never use a link in an email or other similar message.”

In other words, it’s safer to manually type any intended web addresses in the URL bar, as annoying as that might be, than it is to click on links around the web, in email, and on social media. Password management tools can also help reduce the threat by automatically entering login credentials only on the trusted sites.

Till the fixes land, protect yourself and spread the warning.

About the Author
Robert Hackett
By Robert Hackett
Instagram iconLinkedIn iconTwitter icon
See full bioRight Arrow Button Icon
Add Fortune on Google for similar content.

Latest in Tech

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025

Most Popular

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Fortune Secondary Logo
Rankings
  • 100 Best Companies
  • Fortune 500
  • Global 500
  • Fortune 500 Europe
  • Most Powerful Women
  • World's Most Admired Companies
  • See All Rankings
  • Lists Calendar
Sections
  • Finance
  • Fortune Crypto
  • Features
  • Leadership
  • Health
  • Commentary
  • Success
  • Retail
  • Mpw
  • Tech
  • Lifestyle
  • CEO Initiative
  • Asia
  • Politics
  • Conferences
  • Europe
  • Newsletters
  • Personal Finance
  • Environment
  • Magazine
  • Education
Customer Support
  • Frequently Asked Questions
  • Customer Service Portal
  • Privacy Policy
  • Terms Of Use
  • Single Issues For Purchase
  • International Print
Commercial Services
  • Advertising
  • Fortune Brand Studio
  • Fortune Analytics
  • Fortune Conferences
  • Business Development
  • Group Subscriptions
About Us
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • Facebook icon
  • Twitter icon
  • LinkedIn icon
  • Instagram icon
  • Pinterest icon

Latest in Tech

‘Devin-kun’: Japan embraces agents as legacy code and a shrinking workforce create a perfect market for an AI software engineer 
AsiaAI agents
‘Devin-kun’: Japan embraces agents as legacy code and a shrinking workforce create a perfect market for an AI software engineer 
By Nicholas GordonJuly 3, 2026
2 hours ago
Chad Hurley and Steven Chen wearing suits
SuccessWealth
YouTube’s founders split over $650 million when they sold to Google in 2006—had they held out, they could have taken a slice of $550 billion
By Preston ForeJuly 3, 2026
9 hours ago
ds
CommentarySoftware
I argued with the father of open source for 2 years. Now the AI fight is the same — only bigger
By David SiegelJuly 3, 2026
11 hours ago
ashok
Commentary250 Years of Innovation
The greatest startup in history: What we can learn from America’s founders at today’s AI frontier
By Ashok N. SrivastavaJuly 3, 2026
11 hours ago
2
Commentary250 Years of Innovation
America’s secret weapon isn’t just innovation — It’s the freedom to fail
By Keith KrachJuly 3, 2026
13 hours ago
A $75 billion valuation, 75 million global customers and on its way to America—Revolut is London’s disruptor extraordinaire
EuropeLetter from London
A $75 billion valuation, 75 million global customers and on its way to America—Revolut is London’s disruptor extraordinaire
By Kamal AhmedJuly 3, 2026
13 hours ago

Most Popular

Egg companies made $1.22 billion in profit off a $6 carton — now they’re buying their way out of a price-fixing case with 53 million donated eggs
Law
Egg companies made $1.22 billion in profit off a $6 carton — now they’re buying their way out of a price-fixing case with 53 million donated eggs
By Wyatte Grantham-Philips and The Associated PressJuly 2, 2026
1 day ago
Meet the Zillennials: The luckiest micro-generation in the workforce, born between 1993 and 1998
AI
Meet the Zillennials: The luckiest micro-generation in the workforce, born between 1993 and 1998
By Nick LichtenbergJuly 3, 2026
16 hours ago
Economists have found an answer to slowing cognitive decline: Avoid retiring early, study finds
Economy
Economists have found an answer to slowing cognitive decline: Avoid retiring early, study finds
By Sasha RogelbergJuly 2, 2026
1 day ago
On Wall Street, analysts increasingly don’t believe the U.S. government’s 'misleading' job numbers
Economy
On Wall Street, analysts increasingly don’t believe the U.S. government’s 'misleading' job numbers
By Jim EdwardsJuly 3, 2026
12 hours ago
Mark Zuckerberg feeds his cows macadamia nuts and beer to create the 'highest-quality beef in the world' on his $300 million estate in Hawaii
Success
Mark Zuckerberg feeds his cows macadamia nuts and beer to create the 'highest-quality beef in the world' on his $300 million estate in Hawaii
By Sasha RogelbergJuly 2, 2026
1 day ago
Current price of oil as of July 2, 2026
Personal Finance
Current price of oil as of July 2, 2026
By Joseph HostetlerJuly 2, 2026
1 day ago

© 2026 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.