Some perfectly authentic looking web addresses are not what they seem and not all browsers are taking the problem seriously
Heres a challenge for you: you click on a link in your email, and find yourself at the website https://.com. Your browser shows the green padlock icon, confirming its a secure connection; and it says Secure next to it, for added reassurance. And yet, youve been phished. Do you know how?
The answer is in that URL. It may look like it reads apple, but thats actually a bunch of Cyrillic characters: A, Er, Er, Palochka, Ie. The security certificate is real enough, but all it confirms is that you have a secure connection to .com which tells you nothing about whether youre connected to a legitimate site or not.
The proof-of-concept domain was put together by Xudong Zheng, a security researcher who wanted to demonstrate the problem with the way domain names can be registered and displayed. For a long time, domain names could only be written in Latin characters without diacritics, but since 1998 its actually been possible to write them in other alphabets too. Thats useful if you want to register a domain name in Chinese or Arabic script, or even just correctly spelled French or German anything that can be represented with the Unicode standard can be registered, even emoji but its also opened up a whole new avenue of misdirection for malicious actors to take advantage of, by finding characters in other alphabets which look similar to Latin ones.
From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters, Zheng writes. It is possible to register domains such as xn--pple-43d.com, which is equivalent to pple.com. It may not be obvious at first glance, but pple.com uses the Cyrillic (U+0430) rather than the ASCII a (U+0041). This is known as a homograph attack.
Some browsers will keep an eye out for such tricks, and display the underlying domain name if they sense mischief. A common approach is to reject any domain name containing multiple alphabets. But that doesnt work if the whole thing is written in the same alphabet.