This Google Chrome and Firefox Phishing Scam Is ‘Practically Impossible to Spot’

Security experts are warning people about an incredibly devious scam that’s guaranteed to trip up even the most attentive Internet users.

The attack is a variety of phishing, an age-old con that involves tricking people into trusting a malicious website by directing them to a malicious link or, alternatively, into downloading a booby-trapped computer file. The hackers then steal the victims’ passwords or install malware on their computers.

This particular iteration of the ploy uses domain names, also known as web addresses, that look nearly identical to legitimate ones of well-known brands. This scam goes beyond the usual version where fraudsters dupe people into visiting, for example, a “gmail.com” knockoff like “gmail.co” (which has a different top-level domain), “gmial.com” (misspelled), or “gmai1.com” (where the number “1,” as in one, replaces the letter “l”).

Indeed, this scam is far subtler. It works like this: fraudsters are able to register domains with characters plucked from various alphabets other than the default Latin script. When displayed, it’s all but impossible to tell apart a Greek “O” from a Cyrillic “O” from a Latin “O,” for instance.

Good luck seeing the difference between a domain like “Google.com” (Latin) from “Google.com” (Cyrillic).

Get Data Sheet, Fortune’s technology newsletter

This attack is not exactly new. The scam is called an “IDN homograph attack,” and it dates back to 2001. Bruce Schneier, a cybersecurity expert who works at IBM (IBM), warned more than a decade ago about an early version of the attack mimicking PayPal (PYPL) with PayPaI, which ends in an uppercase “i” rather than a lowercase “l.”

The attack received renewed attention on Friday when Xudong Zheng, a web developer at the small software firm SliceOne, raised the alarm about a particular version of the scam in a blog post on his personal website. Zheng created an example site, “apple.com,” to spoof the legitimate “apple.com,” thus demonstrating the potential for duplicity.

Zheng’s bogus domain is actually “xn--80ak6aa92e.com.” This alphanumeric gobbledygook renders as “apple.com” in the web browser due to a tool called “punycode,” which translates characters from Unicode, an encoding standard for computers to display thousands of kinds of symbols, including ones from many different languages, into the more limited set of characters available in ASCII, another encoding standard that only contains symbols more familiar to English readers, including “A-Z,” “a-z,” 0-9,” and various punctuation marks.

Browsers use punycode to display foreign domain names in English. So “xn--80ak6aa92e.com,” which references Cyrillic letters (in Unicode), becomes “apple.com” (in ASCII).

Vulnerable web browsers include Google Chrome, Mozilla Firefox, and Opera browsers. Apple’s Safari and Microsoft’s Internet Explorer and Edge browsers are apparently unaffected. To see for yourself, copy and paste “xn--80ak6aa92e.com” into your web browser.; vulnerable ones convert to “apple.”

“I first learned about the general attack in 2011 when I purchased my first Unicode domain,” Zheng told Fortune in an email. (He said he has since forgotten what that domain name was.) The issue popped back into his mind a few months ago as he was registering a new domain,”xn--s7y.co,” which thanks to punycode renders as a single Chinese character, “短.co,” or “short” in English.

While Chrome and Firefox protect against bogus domains that mix and match letters from different writing systems, like Cyrillic and Latin, they do not protect against bogus domain names that use characters entirely from a particular language, like Cyrillic. “In many instances, the font in Chrome and Firefox makes the two domains visually indistinguishable,” Zheng said in his post.

In many cases, the only way to catch the deceit is to check a site’s SSL certificate, a digital file that cryptographically verifies a site’s identity. In Chrome you can do this by clicking the “three dots” button in the upper right hand corner of the browser window, clicking “more tools,” then “developer tools,” then selecting “security,” and finally “view certificate.”

Doing so on Zheng’s proof of concept attack site retrieves a certificate that should look like this; notice the “xn--80ak6aa92e.com.”

One of the best examples of this Unicode domain-spoofing phishing scheme was demonstrated by security researchers at WordFence, a company that creates security plugins for the blogging site WordPress. (WordFence previously warned about another recent Gmail phishing scam, which has since been fixed.)

To make the latest threat more palpable, the team created a spoof of “epic.com” that goes by—wait for it—”epic.com“. See the screenshots below showing how Chrome displays the web addresses.

The team obtained an SSL certificate, thereby granting the bogus domain a “secure” green lock icon. As a result, people might think they’re on the real website, when in fact they’re visiting a fake one.

 

 

 

 

Can you tell the difference? Didn’t think so.

The first URL displays the domain of the fake page (actually, it’s “https://xn--e1awd7f.com/,” which renders as “https://epic.com” in the browser thanks to its punycode settings), and the second shows the homepage for a real Wisconsin-based firm that develops software related to electronic health records. Even to the trained eye, the URLs appear as one and the same.

Zheng reported the issue to the Chrome security team on Jan. 20, earning a bounty of $2,000 for what Google (GOOG) deemed a medium-severity bug. The Chrome security team crafted a fix on March 23. Initially aiming to deploy the patch in Chrome version 59 (now in beta, due out June 6th), the Chrome security team decided instead to roll out a patch with version 58, due out in a stable release around April 25th, according to its software development calendar.

Mozilla, on the other hand, is still debating how best to fix the problem, as you can see in this thread. Until this debate resolves and a patch is made available, users can manually change the settings in their Firefox browsers so they may more readily detect these kinds of attacks.

To do so, open the Firefox browser, enter “about:config” in the URL bar, search for “punycode,” and set the value type from “false” to “true.” (Default setting seen below.)

“It’s a really worrying problem as it makes phishing so much easier,” Alan Woodward, a security expert and professor at the University of Surrey in England, said in an email to Fortune. “These tricks make it easy for even the most cautious of us to click on a link.”

He added: “The only advice I can really offer is never use a link in an email or other similar message.”

In other words, it’s safer to manually type any intended web addresses in the URL bar, as annoying as that might be, than it is to click on links around the web, in email, and on social media. Password management tools can also help reduce the threat by automatically entering login credentials only on the trusted sites.

Till the fixes land, protect yourself and spread the warning.

Subscribe to Data Sheet, our daily newsletter about the business of tech. Sign up for free.