PunyCode phishing attack

Question

Firefox, Chrome and Opera (but NOT IE, Edge, Safari nor Vivaldi) are currently subject to a phishing attack using 'Punicode' characters.   (I've seen conflicting comments about whether or not PaleMoon is impacted...) Users of Firefox can get around this by going to the address bar, typing about:config hit ENTER.   FF warns that 'This might void your warranty'.   It's okay... just Accept the risk. In the search box, type punycode and a line that reads network.IDN_show_punycode will appear.  By default, it is set to false. Double-clicking the words will change it to true. For more details, see https://www.bleepingcomputer.com/news/security/chrome-firefox-and-opera-vulnerable-to-undetectable-phishing-attack/ and/or https://www.forbes.com/sites/leemathews/2017/04/17/chrome-and-firefox-adding-protection-against-this-nasty-phishing-trick/ ------------------------------------------------------------------------------------------------------- Remark:  This about:config 'configuration' is available in PaleMoon... as noted, I've seen some comments that recommend implementing it, while others say it's not necessary to do so.

ky331 · Answer

Okay, here's what I believe is the PaleMoon status:

Effective with PM release 27.1: Updated the IDN blacklist with more extended unicode characters that "look very similar to" normal ASCII characters, to prevent spoofing of well-known domains. If blacklisted characters are found, the IDN domain name will be displayed in its punycode form. (CVE-2017-5383 and similar) https://forum.palemoon.org/viewtopic.php?f=1&t=14724&p=105790&hilit=punycode#p105790

So this already prevents against many (but not all) use of "punycode".

Per Moonchild (the creator of PM): You can change the setting [about:config] if you're worried about this, don't want to check the certificate, and want to do something about this right now - downside is that you can't enter internationalized domain names in the address bar...

Otherwise, leave it alone and wait for the next version of Pale Moon.

Of note, any financial institution will always have an EV (green) certificate that will display the certificate owner's name -- that can't be spoofed this way. https://forum.palemoon.org/viewtopic.php?f=26&t=15486&p=112059&hilit=punycode#p112037

jtnozawa · Answer

Outlook Mail Client and Gmail is vulnerable as well. Our PoC and article: https://ciberseguridad.lamula.pe/2017/04/22/ataque-de-phishing-imperceptible-con-unicode-tambien-afecta-clientes-de-correo-electronico/delphins

ky331 · Answer

At present, FF has NO PLANS to 'fix' this issue:  a software engineer for the Mozilla Foundation said  that Firefox users should turn on the browser’s Safe Browsing feature to help thwart phishing attacks. https://threatpost.com/google-fixes-unicode-phishing-vulnerability-in-chrome-58-firefox-standing-pat/125099/ Remark:   As best as I can tell, this can be done/confirmed under about:config , by enabling (setting TRUE)browser.safebrowsing.phishing.enabled It would also be prudent to confirm enabling of browser.safebrowsing.malware.enabled (These should both have been set to TRUE by default).

ky331 · Answer

For Pale Moon's official response to this issue, see http://en.community.dell.com/support-forums/virus-spyware/f/3522/p/20011452/20994504#20994504

Virus & Spyware

Was this post helpful?