Unsolved
This post is more than 5 years old
3 Apprentice
•
15.3K Posts
0
1577
PunyCode phishing attack
Firefox, Chrome and Opera (but NOT IE, Edge, Safari nor Vivaldi) are currently subject to a phishing attack using "Punicode" characters. (I've seen conflicting comments about whether or not PaleMoon is impacted...)
Users of Firefox can get around this by going to the address bar, typing
about:config
hit ENTER. FF warns that "This might void your warranty". It's okay... just Accept the risk.
In the search box, type
punycode
and a line that reads network.IDN_show_punycode will appear.
By default, it is set to false. Double-clicking the words will change it to true.
For more details, see https://www.bleepingcomputer.com/news/security/chrome-firefox-and-opera-vulnerable-to-undetectable-phishing-attack/
and/or
-------------------------------------------------------------------------------------------------------
Remark: This about:config "configuration" is available in PaleMoon... as noted, I've seen some comments that recommend implementing it, while others say it's not necessary to do so.
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
April 17th, 2017 15:00
Okay, here's what I believe is the PaleMoon status:
Effective with PM release 27.1: Updated the IDN blacklist with more extended unicode characters that "look very similar to" normal ASCII characters, to prevent spoofing of well-known domains. If blacklisted characters are found, the IDN domain name will be displayed in its punycode form. (CVE-2017-5383 and similar) https://forum.palemoon.org/viewtopic.php?f=1&t=14724&p=105790&hilit=punycode#p105790
So this already prevents against many (but not all) use of "punycode".
Per Moonchild (the creator of PM): You can change the setting [about:config] if you're worried about this, don't want to check the certificate, and want to do something about this right now - downside is that you can't enter internationalized domain names in the address bar...
Otherwise, leave it alone and wait for the next version of Pale Moon.
Of note, any financial institution will always have an EV (green) certificate that will display the certificate owner's name -- that can't be spoofed this way. https://forum.palemoon.org/viewtopic.php?f=26&t=15486&p=112059&hilit=punycode#p112037
jtnozawa
1 Message
0
April 24th, 2017 00:00
Outlook Mail Client and Gmail is vulnerable as well. Our PoC and article: https://ciberseguridad.lamula.pe/2017/04/22/ataque-de-phishing-imperceptible-con-unicode-tambien-afecta-clientes-de-correo-electronico/delphins
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
April 24th, 2017 05:00
At present, FF has NO PLANS to "fix" this issue: a software engineer for the Mozilla Foundation said that Firefox users should turn on the browser’s Safe Browsing feature to help thwart phishing attacks.
https://threatpost.com/google-fixes-unicode-phishing-vulnerability-in-chrome-58-firefox-standing-pat/125099/
Remark: As best as I can tell, this can be done/confirmed under about:config , by enabling (setting TRUE)
browser.safebrowsing.phishing.enabled
It would also be prudent to confirm enabling of
browser.safebrowsing.malware.enabled
(These should both have been set to TRUE by default).
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
April 29th, 2017 10:00
For Pale Moon's official response to this issue, see http://en.community.dell.com/support-forums/virus-spyware/f/3522/p/20011452/20994504#20994504