| Boing Boing has reported a technique which allows phishers to
fake domain names in email links, the address bar and SSL
certificate of almost all browsers other than Internet Explorer.
The scam utilizes features of IDN, the industry standard for
representing non ASCII characters in domain names, to substitute
non standard characters for very similar looking English
characters. This newsletter is plain text so I can't give you an
example but substituting and '0' for an 'O' in SUPPORTALERT.COM
vs. SUPP0RTALERT.COM will give you the idea. IE does not comply
with the standard and is consequently not affected. Apparently
Mozilla incorporated a fix into nightly builds within 12 hours
which allows users to turn off IDN but there is no patch yet for
released versions of Mozilla or FireFox. However, a developer
has patched the FireFox SpoofStick extension so that it will
reveal the scam. More generally the problem can be avoided by
not clicking on links nor cutting and pasting but rather typing
them in to your browsers address bar by hand. All this supports
my current view that you can no longer reliably pick phishing
scams. If you get an email from a bank or financial institution
requesting some action then phone first, act latter.
http://www.boingboing.net/2005/02/0...p_exploit_.html
http://secunia.com/multiple_browsers_idn_spoofing_test
http://www.jarnot.com/mt/archives/2...fox_spoof_s.php | |
