Phishing Attacks with Unicode Domains

One more attack vector to be thinking about!

From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as “”, which is equivalent to “а”. It may not be obvious at first glance, but “а” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0041). This is known as a homograph attack.

Chrome 59 will protect you from these phishing attempts by converting the maliciously-similar name to the Punycode version, thus making you aware of something amiss.

Firefox users can limit their exposure by going to about:config and settingnetwork.IDN_show_punycode to true. This will force Firefox to always display IDN domains in its Punycode form, making it possible to identify malicious domains. Thanks to /u/MARKZILLA on reddit for this solution.

Thus, the attack form of will show as

On Twitter @Xudong_Zheng  says a simple way to limit the risk from bugs such as this is to always use a password manager, which can identify that the similar letters are not the same.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.