Phishing Attacks Using Undetectable Look-A-Like Web Addresses | Office of Information Technology

Phishing Attacks Using Undetectable Look-A-Like Web Addresses

Last Updated: 04/18/2017

Security Notice Level

SEVERE

A new web browser flaw is being used in phishing attacks to make malicious phishing websites appear to have the same web address as known and trusted websites. In the past, OIT encouraged individuals to check URL addresses in the address bar or pop-up text when a mouse hovers over a URL. However, this new flaw allows attackers to craft a URL which will trick the web browser into displaying a trusted URL rather than the address of the malicious website. Attackers are even able to forge websites which are HTTPS protected.

The IT Security Office advises users of Chrome, Firefox, and Opera to manually type URLs for sensitive sites (e.g., your bank or financial institution, Mycuinfo, and sites which require a login) rather than clicking links in emails or on untrusted websites. Within Firefox, one can mitigate this threat by disabling support for Punycode by navigating to about:config and setting “network.IDN_show_punycode” to "true".

Additional Information

Additional information about these vulnerabilities can be viewed at:

https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/

https://isc.sans.edu/forums/diary/Tool+to+Detect+Active+Phishing+Attacks+Using+Unicode+LookAlike+Domains/22310/

If you have any questions, please contact the IT Service Center at 303-735-4357 (or 5-HELP from an on-campus phone) or help@colorado.edu. IT Service Center Hours: https://oit.colorado.edu/support/it-service-center.