Scam Alert: Phishing sites masking domain names

Wordfence and Graham Cluley have alerted us to a dangerous change in phishing attacks: phishing sites masking domain names. Please read on, and then share this important information with your network, so your friends and family aren't taken in by new phishing scams.

Phishing sites masking domain names

Simply put, we used to tell people that to avoid a phishing scam, they should check the address bar to make sure they were on the correct site. And now that is no longer a reliable clue, which makes things much more complicated for the less Internet-savvy among us.

What is phishing?

Phishing is when a malicious website pretends to be a legitimate website you would have a reason to be on, and it tries to get you to enter personal information. That can be your username and login for the real site, your credit card number, or all sorts of other information they might use for ill-intentioned purposes.

Most often, you would be led to a phishing site by clicking on a link in an unsolicited email. The email might appear to be from your water company, your Internet service provider or cable company, a store, Google, or any number of other places you might do business with.

How can you avoid being scammed?

In the past, there were three main ways to avoid being taken in by a phishing scam.

  1. Don't click on unsolicited and unexpected emails.As an example, if you know you did in fact pay your last cell phone bill, don't click on the email that says you didn't, and asks you to click to pay online.
  2. Type the address yourself into the address bar of your browser.To further our example, if you aren't sure whether you did pay your bill or not, type your cell phone provider's URL yourself into your address bar, and go verify your account that way.
  3. If you did click on a link, verify the URL that appears in your address bar.If you already clicked on the link in question, make sure that the URL is correct - for example, make sure you are on "apple.com" and not "apple.com.fakesite.com" or "apple-com.fakesite.com".
Don't let this be you!
Don't let this be you!

What has changed?

For the technical details, you can check out the explanations over on Wordfence or Graham Cluley's website. In a nutshell, there are ways to use unicode, which is a character encoding system, to make a browser like Firefox or Chrome display those characters as different ones. In Wordfence's example, they were able to set up a website with this domain: https://xn--e1awd7f.com which displays as https://www.epic.com when you visit it in Chrome or Firefox.

This means that suggestion #3 above is no longer reliable. This is a serious security issue, because malicious people can now effectively create phishing sites that mask their domain names, and trick you into thinking you are on the real website rather than their copy, which they are using to steal your information.

phishing sites masking domain namesSo what can I do to stay safe?

Rules 1 & 2 suggested above still apply:

  1. Don't click on unsolicited and unexpected emails.
  2. Type the address yourself into the address bar of your browser.

You can also follow instructions provided by Wordfence for turning off the Unicode conversion in your Firefox browser, but you might not want to attempt that unless you are a tech-savvy user. Graham Cluley says that Chrome plans to roll out a fix for this issue by the end of April.

He further suggests:

  • you can use a password manager that will recognize these Unicode sites and will not enter your password into them automatically. LastPass, 1Password, and Dashlane are good choices here.
  • you can copy and paste the URL into the Edge or Safari browsers, which aren't affected at this time, or
  • you can copy the URL from the Chrome address bar and re-paste it into the same location; a Unicode URL should then appear if the domain name has been masked with this method, so you would see that the site is not legitimate after all.

Knowledge is power. Please share this information with your friends and family so you can help keep them safe from phishing fraud.

Note: Some links on this page may be affiliate links, and we may gain a small commission should you purchase a product through these links. We only recommend products we like and use.

Like it? Share it!

FacebooktwitterredditlinkedinmailFacebooktwitterredditlinkedinmail

Alisa Cognard

Alisa was one of the first team members to join Red Earth Design, Inc. in early 2004. From data entry, she progressed to MySQL database manipulation and PHP coding. Alisa is responsible for all kinds of odds and ends: installing new websites, adding features to them, programming databases, PHP coding, website troubleshooting, website security, and organizational tasks for Red Earth Design.

2 thoughts on “Scam Alert: Phishing sites masking domain names

  1. Phishing – someone in Romania accessed my Yahoo email masking over chrome browser. I think they grabbed my email details and password (now changed) as I typed both in twice and the details vanished twice. I thought, it was typed in correctly so whats going on. Closed the chrome and logged in with firefox and no problem. Next thing Yahoo emailed me saying someone had gained entry into my email account from Romania. How do they get by a firewall, and an up-to-date anti-virus checker.

    1. Hi Chris,
      Unfortunately, firewalls and virus scan programs don’t do much about phishing. Some may alert you to a possible phishing site, but sometimes they just don’t. Two things I would try in your situation are doing a spyware check on your machine, and downloading a clean copy of Chrome without any extensions which might have been pirated. If you have any extensions activated on your Chrome browser, and any of those were hacked, that could be a potential way in.

Leave a Reply

Your email address will not be published. Required fields are marked *