View Full Version : Domain Name Scamming!

Jan Gaarni
02-09-2005, 05:40 AM
Earlier this week a notice was made, warning people about scammers and such.

You may think, well, what else is new. The net is filled with scammers.

Well, since after you were able to use national letters (in example norwegian , , and ) in the addressfield, the threat has increased significantly.

Everyone knows of the famous replacing the O with a 0 (zero), like MICR0S0FT.com, and abusing that to trick people.
It’s usually easy to spot it if you are awake and pay attention when clicking links.

But what happens when you no longer are able to recognise wether it is an a or an a?

Example: the Russian letters a, e, o, and y looks fairly similar to the latin a, e, o, and y. For us mortal people, this is pretty much impossible to spot. But in the computerworld (binary kode) the difference is obvious and both letters are treated as 2 different letters. Someone could make a fake PayPal site under the .com domain (and probably already have, so stay alert) and use the Russian a instead the propper a. They can then lure you into this website and, if you are particulary “unlucky”, scam you for your money.

Mozilla 1.7.5, Firefox 1.0, Konqueror 3.2.2 and Opera 7.54 have this problem, according to Secunia (http://secunia.com/advisories/14163). Micrososft IE does not have this exact same problem, but are subject to other problems (http://www.kb.cert.org/vuls/id/356600) which has similar effect.

If you want to test if you are vunerable to this spoof, click here (http://www.paypаl.com/).
It should take you to a fake PayPal site created by Secunia (http://secunia.com/) if you are affected.

The easiest way to avoid this problem is to type in the address manually in the addressfield, rather than copy and paste, or clicking on a link from a mail informing you they have registered some inregularities on your account at for instance PayPal (I’ve received a couple of these already).

The other way is to disable the IDN feature on your browser.
How you do that you will have to go to your browsers own webpages to see if they have any solutions there.
For Firefox users (such as myself :) ), you can go here (http://forums.mozillazine.org/viewtopic.php?t=215221).
It’s only a temp solution as far as I understand.

I don’t really see how they can fix this though, unless national letters are banned again. :D

More links for info on this:
Secunia (http://secunia.com/advisories/14163)
The Register (http://www.theregister.co.uk/2005/02/07/browsers_idn_spoofing/)
The Schmoo Group (http://www.shmoo.com/idn/homograph.txt)
The Homograph Attack (http://www.cs.technion.ac.il/~gabr/papers/homograph.html)
IDN Permissible Code Point Problems (http://www.icann.org/committees/idn/idn-codepoint-paper.htm)

02-09-2005, 06:36 PM
Thanks for the info Jan. I'll be more careful thanks to you :)

El Sitherino
02-18-2005, 05:01 PM
to solve this, get the adblock extension. go to it's preferences, hit adblock options. Select site blocking and place this in as a new filter.
" :-/[^\x20-\xFF]/ "