Browser Feature Could Make Scams Easier

[bloodhound]

Source : http://story.news.yahoo.com/news?tmpl=story&cid=528&ncid=528&e=3&u=/ap/20050207/ap_on_hi_te/web_browser_flaw_1

 

 

Officially, the Internet's Domain Name System supports only 37 characters — the 26 letters, 10 numerals and a hyphen.

 

But in recent years, in response to a growing Internet population worldwide, engineers have been working on ways to trick the system into understanding other languages.

 

Engineers have rallied around a character system called Unicode. The newly discovered exploit takes advantage of the fact that characters that look alike can have two separate codes in Unicode and thus appear to the computer as different. For example, Unicode for "a" is 97 under the Latin alphabet, but 1072 in Cyrillic.

 

Subbing one for the other can allow a scammer to register a domain name that looks to the human as "paypal.com," tricking users into giving passwords and other sensitive information at what looks like a legitimate site.

 

Some browsers, including Firefox, let users deactivate the other character sets but doing so is complicated and would cut off access to the relatively few sites that use non-English characters in their addresses.

 

A better solution is to always manually type Web address directly into a browser rather than clicking on a link sent via e-mail or even copying and pasting that link.

[5614]

a similar example of the never follow an untrustworthy link is like this:

 

wow you can win lotsa money, click here:

www.winmoney.com

 

click it, it'll take you to google, now if i were some idiot sending around pointless scam emails and generally pi$$ing others off for no reason like email spammers do i could change the google to anything i want, a tojan, spyware, premium rate phone call site... that's the possibilities of it.

 

saying that i ever so rarely type it myself! when i get something which is blatantly spam, like "please enter your credit card details" and i dont even have a credit card! i sometimes look at the source code to see where i am really going and often it is not what it says... i say i look at the source code because i use yahoo email which is web based.

[Edward]

A possible solution for this (well not souilition but a help ne way) would be to have a browser option to highlight non latin characters.

[Coral Rhedd]

Yeah. I actually got that Paypal scam email. I have also been solicited by many "banks" I allegedly have accounts at to submit all my banking information so they can "verify" it. Some things people can simply do better. Typing in complete addresses would be extremely cumbersome. Ignoring nonsense is easier.

[bloodhound]

www.winmoney.com

that example is not similar at all!! did u even read the article! in ur example i can hover over the link and see where it points to. or right click the link and then view properties...

 

but the this scam exploits the fact that certain letters will have different codes in different character sets.. so to use it may look like http://www.ebay.com even if you check if the link actually points to the correct side.... but to the computer it will be completely different as the various letters with a diferent code from a different character set....

[5614]

it was similar in the way that it is a link to something which isnt it what it says it is... it may be a more basic form of it, buts if you think of your problem as 'you dont know what you're really clicking on' it made me think of what i said.

[RICHARDBATTY]

Thanks for the info at the end of the first post. I always used to copy paste links and could have fallen foul of that one, maybe I have already but again thanks for the heads up.