Start a Conversation

Unsolved

This post is more than 5 years old

3 Apprentice

 • 

15.3K Posts

1577

April 17th, 2017 13:00

PunyCode phishing attack

Firefox, Chrome and Opera (but NOT IE, Edge, Safari nor Vivaldi) are currently subject to a phishing attack using "Punicode" characters.   (I've seen conflicting comments about whether or not PaleMoon is impacted...)

Users of Firefox can get around this by going to the address bar, typing

about:config

hit ENTER.   FF warns that "This might void your warranty".   It's okay... just Accept the risk.

In the search box, type

punycode

and a line that reads network.IDN_show_punycode will appear. 

By default, it is set to false. Double-clicking the words will change it to true.

For more details, see https://www.bleepingcomputer.com/news/security/chrome-firefox-and-opera-vulnerable-to-undetectable-phishing-attack/

and/or

https://www.forbes.com/sites/leemathews/2017/04/17/chrome-and-firefox-adding-protection-against-this-nasty-phishing-trick/

-------------------------------------------------------------------------------------------------------

Remark:  This about:config "configuration" is available in PaleMoon... as noted, I've seen some comments that recommend implementing it, while others say it's not necessary to do so.

3 Apprentice

 • 

15.3K Posts

April 17th, 2017 15:00

Okay, here's what I believe is the PaleMoon status:

Effective with PM release 27.1:  Updated the IDN blacklist with more extended unicode characters that "look very similar to" normal ASCII characters, to prevent spoofing of well-known domains. If blacklisted characters are found, the IDN domain name will be displayed in its punycode form. (CVE-2017-5383 and similar)  https://forum.palemoon.org/viewtopic.php?f=1&t=14724&p=105790&hilit=punycode#p105790

So this already prevents against many (but not all) use of "punycode".

Per Moonchild (the creator of PM):   You can change the setting [about:config] if you're worried about this, don't want to check the certificate, and want to do something about this right now - downside is that you can't enter internationalized domain names in the address bar...   

Otherwise, leave it alone and wait for the next version of Pale Moon.

Of note, any financial institution will always have an EV (green) certificate that will display the certificate owner's name -- that can't be spoofed this way. https://forum.palemoon.org/viewtopic.php?f=26&t=15486&p=112059&hilit=punycode#p112037

1 Message

April 24th, 2017 00:00

3 Apprentice

 • 

15.3K Posts

April 24th, 2017 05:00

At present, FF has NO PLANS to "fix" this issue:  a software engineer for the Mozilla Foundation said  that Firefox users should turn on the browser’s Safe Browsing feature to help thwart phishing attacks.

https://threatpost.com/google-fixes-unicode-phishing-vulnerability-in-chrome-58-firefox-standing-pat/125099/

Remark:   As best as I can tell, this can be done/confirmed under about:config , by enabling (setting TRUE)
browser.safebrowsing.phishing.enabled

It would also be prudent to confirm enabling of

browser.safebrowsing.malware.enabled

(These should both have been set to TRUE by default).

3 Apprentice

 • 

15.3K Posts

April 29th, 2017 10:00

No Events found!

Top