If you believe your data security skills are strong enough for you not to fall for an online phishing attempt, you may want to rethink your position. Xudong Zheng, a software engineer, has discovered a new phishing scam that is very sophisticated in its nature.
In a typical IDN attack, the users are tricked into clicking on a link that looks quite normal, but in reality, letters from another language system are shown that look legitimate, but instead of leading to the desired URL, the users are taken to a completely different one. This is potentially very dangerous, since these websites often have a malicious intent.
Luckily, most modern browsers have built-in protection against IDN attacks, but the new phishing scam works around it. In circumstances where another language system is used to replace all and not just some letters, many browsers will not detect that anything is wrong.
To address the problem, Chrome is rolling out a security update. However, Internet Explorer, Opera, and Firefox users remain vulnerable targets.
However, there is still something they can do. Firefox users, for example, can tweak their security settings to force the browser to display raw Punycode. Go to:
about:config – set network.IDN_show_punycode to “true”.
Zheng also pointed out it is a good idea to enter URLs manually and use a password manager, as it happens to be a good data security practice. Visiting a website through a search engine is another way to avoid falling prey to phishing scams.