[dba-Tech] "almost impossible to detect" phishing attack

Peter Brawley peter.brawley at earthlink.net
Mon Apr 17 13:14:47 CDT 2017

On 4/17/2017 12:00, John R Bartow wrote:
> A Chinese infosec researcher has discovered a new "almost impossible to
> detect" phishing attack that can be used to trick even the most careful
> users on the Internet.
> He warned, Hackers can use a known vulnerability in the Chrome, Firefox and
> Opera web browsers to display their fake domain names as the websites of
> legitimate services, like Apple, Google, or Amazon to steal login or
> financial credentials and other sensitive information from users.
> http://tinyurl.com/mtbkboq
> Firefox uses can follow below-mentioned steps to manually apply temporarily
> mitigation:
> 1. Type about:config in address bar and press enter.
> 2. Type Punycode in the search bar.
> 3. Browser settings will show parameter titled: network.IDN_show_punycode,
> double-click or right-click and select Toggle to change the value from false
> to true.
> Unfortunately, there is no similar setting available in Chrome or Opera to
> disable Punycode URL conversions manually, so Chrome users have to wait for
> next few weeks to get patched Stable 58 release.

Interestingly, Google Chrome 57 "can't reach" his apple.com page, but 
does reach the epic.com proof-of-concept page.


> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com

More information about the dba-Tech mailing list