Phishing Attack Exploiting Flaw In Browsers

Security researchers have discovered a phishing attack exploiting a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the authentic websites.

Threat ID:: CC-1362
Category:: Exploit
Threat Severity:: Low
Threat Vector:: Phishing
Published:: 27 April 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Security researchers have discovered a phishing attack exploiting a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the authentic websites.

Affected platforms

The following platforms are known to be affected:

Google Chrome

Chrome including the current version 57.0.2987.
Firefox including the current version 52.0.2.
Opera including Neon version.

Mozilla Firefox

Threat details

This vulnerability may allow attackers to display a malicious phishing domain as an authentic and legitimate website of any brand and steal the log-in details, private and financial information of the respective users.

The attack vector is undetectable because it is impossible to identify the site as fraudulent without carefully inspecting the site's URL or SSL certificate. Simply checking the address bar and green SSL signal will not be sufficient to rely on or trust the authenticity of websites visited by any user from vulnerable browsers.

The attack vector exploiting this flaw is a new version of phishing which uses Unicode to register domains that look identical to real domains. Many browsers use Punycode encoding to represent Unicode characters in the URL to defend against homograph phishing attacks by converting Unicode to the limited character set of ASCII (A-Z, 0-9) codes, supported by International Domain Names (IDNs) system. However, web browsers render only Punycode URLs in one language as Unicode (like only Chinese or only Japanese), but they fail in the case where a domain name contains characters from multiple languages.

Remediation advice

Mozilla has not provided any information about the fix but as a manual workaround, Firefox users are advised to follow below mentioned steps to change settings in their browser:

Remediation steps

Type	Step
	Type about: config in address bar and press enter. Type Punycode in the search bar. Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to true. There is no workaround for Chrome and Opera users but Google has reported that they have fixed this issue in a test release of Chrome Canary 59 and will come up with a permanent fix in the stable version Chrome 58 by the end of this month. Ensure the limited use of these browsers in critical environments and defer to other browsers that are unaffected by this vulnerability. Since multiple active phishing campaigns have been seen exploiting this vulnerability, users are encouraged to patch all relevant programs as quickly as possible once respective vendors release it.

Type

Step

Type about: config in address bar and press enter.
Type Punycode in the search bar.
Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to true.

There is no workaround for Chrome and Opera users but Google has reported that they have fixed this issue in a test release of Chrome Canary 59 and will come up with a permanent fix in the stable version Chrome 58 by the end of this month. Ensure the limited use of these browsers in critical environments and defer to other browsers that are unaffected by this vulnerability.

Since multiple active phishing campaigns have been seen exploiting this vulnerability, users are encouraged to patch all relevant programs as quickly as possible once respective vendors release it.

Last edited: 17 February 2020 11:37 am