Experts: international domain names may pose threat

Security experts are warning about a new threat to Web surfers: malicious Web sites that use international domain names to spoof the Web addresses of legitimate sites.

The new trick is a variation of a known technique called the "homograph attack" and takes advantage of loopholes in the way some popular Web browsers display domain names that use non-English characters. It could allow malicious hackers and online identity theft groups to trick unsuspecting users into divulging sensitive personal information, according to advisories from The Shmoo Group, a hacker collective, and Secunia.

The warning was published after a demonstration of the new kind of homograph attacks at ShmooCon, a hacker convention in Washington, D.C. Secunia, of Copenhagen, issued advisories on the new issue for users of affected browsers and declared the issue "moderately critical."

Homograph attacks are a well-known trick in which character resemblance, for example, between the letter "O" and the number "0" is used to fool users into thinking that a bogus Web site actually belongs to a legitimate company. For example, malicious hackers might register the domain and design it to mimic the popular computer news Web site.

The latest threat was first described by Evgeniy Gabrilovich and Alex Gontmakher, computer science students at Technion, the Israel Institute of Technology. The attack takes advantage of changes supported by Internet standards bodies such as the Internet Engineering Task Force (IETF) to allow domain names to be registered in national alphabets using non-English characters. The new Internationalized Domain Name (IDN) program makes it easier for non-English speakers to use the Web but also creates opportunities for malicious hackers, Gabrilovich and Gontmakher wrote.

For example, attackers could register a Web domain, which looks identical to the popular business news Web site, but in which the letters "o" and "e" have been substituted with identical-looking substitutes from the Cyrillic alphabet, used in the Russian language, creating a new domain, the authors said. (See: In another example, the authors registered the domain, in which the English letters "c" and "o" in that domain were substituted with their Cyrillic counterparts.

Links to the bogus Web sites in e-mail messages could be disguised by hiding the actual URL with non-English characters, such as "http://www.pа" in the HTML (Hypertext Markup Language) code of the e-mail message. Affected Web browsers would make the trick work by cleaning up that URL and displaying it with the international character. In this example, it would look like, said Dan Hubbard, senior director at WebSense in San Diego.

Some popular Web browsers, including The Mozilla Foundation's Firefox 1.0, Apple Computer's Safari Version 1.2.5 and Opera Software ASA's Version 7.54 browser all render the IDN characters in a way that could be used in an attack, according to details released by The Shmoo Group. (See:

Ironically, Microsoft's Internet Explorer browser, a popular target for Web-based attacks, is not vulnerable to the IDN homograph attack, The Shmoo Group said.

The homograph vulnerability has been talked about for a long time but has not been commonly used because Internet domain name registrars didn't support IDN. Now that many registrars do support it, the homograph attacks carry more weight, Hubbard said.

"It's just another method for phishers to use," he said.

The vulnerability will be particularly useful for attacking Web surfers who are using browsers other than Internet Explorer, and phishing scam artists may develop scams to use it when they detect that a potential victim is on a browser other than IE, he said.

Web users were advised not to follow Web links from untrusted sources and to type in Web domains manually when in doubt. Internet users can also cut and paste suspect Web links into Windows Notepad or other text readers to see what character set the URL is written in, The Shmoo Group said.

FireFox supports IDN by default, but users can disable it by typing about:config into the browser's address bar, locating the network.enableIDN option, and double clicking on it to set it to "false."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?