Experts: International domain names may pose threat

IDG News Service - Security experts are warning about a new threat to Web surfers: malicious Web sites that use international domain names to spoof the Web addresses of legitimate sites.
The new trick is a variation of a known technique called the "homograph attack" and takes advantage of loopholes in the way some popular Web browsers display domain names that use non-English characters. It could allow malicious hackers and online identity-theft groups to trick unsuspecting users into divulging sensitive personal information, according to an advisory from The Shmoo Group, a hacker collective, and from Secunia.
The warning was published after a demonstration of the new kind of homograph attacks at ShmooCon, a hacker convention in Washington. Copenhagen-based Secunia issued an advisory on the new issue for users of affected browsers and declared the vulnerability "moderately critical."
Homograph attacks are a well-known trick in which character resemblance, for example, between the letter "O" and the number "0," is used to fool users into thinking that a bogus Web site actually belongs to a legitimate company. For example, malicious hackers might register the domain www.pcw0rld.com and design it to mimic the popular computer news Web site.
The latest threat was first described by Evgeniy Gabrilovich and Alex Gontmakher, computer science students at Technion-Israel Institute of Technology. The attack takes advantage of changes supported by Internet standards bodies such as the Internet Engineering Task Force to allow domain names to be registered in national alphabets using non-English characters. The new Internationalized Domain Name (IDN) program makes it easier for non-English speakers to use the Web but also creates opportunities for malicious hackers, Gabrilovich and Gontmakher wrote.
For example, attackers could register a Web domain "bloomberg.com," which looks identical to the popular business news Web site, but in which the letters "o" and "e" have been substituted with identical-looking substitutes from the Cyrillic alphabet, used in the Russian language, creating a new domain, the authors said (download PDF). In another example, the authors registered the domain www.microsoft.com, in which the English letters "c" and "o" in that domain were substituted with their Cyrillic counterparts.
Links to the bogus Web sites in e-mail messages could be disguised by hiding the actual Web site address with non-English characters, such as "http://www.pаypal.com," in the HTML code of the e-mail message. Affected Web browsers would make the trick work by cleaning up that address and displaying it with the international character. In this example, it would look like "www.paypal.com," said Dan Hubbard, senior director at WebSense Inc. in San Diego.
Some