Paypal Cyrillic Example
In what some are calling one of the biggest changes in Internet’s history, the board of ICANN (the Internet Corporation for Assigned Names and Numbers) recently approved the use of Web addresses written in non-Latin Alphabets, including Chinese, Arabic and Russian. Thus as of mid-2010, it will be possible to type an entire domain name on Kanji, Cyrillic or Hebrew. The move has been hailed as a major step forward in the internationalization, and even the democratization of the Internet, beyond its English only roots.
While the move may open up the Internet to regions such as the Middle East and Asia, it is not without its potential future crime problems. Gizmodo ran an interesting article on the topic in which a researcher noted the possibility of presenting a non-roman alphabet (such as Cyrillic) in such a way as to cause confusion among the public as to the actual domain being visited. In the example provided, the Russian world “raural” was purportedly represented by the same cyrillic characters that would render “Paypal” in a roman scripted language. Thus users who thought they were on a spoofed Paypal site, were in fact on the “raural” site.
There is no doubt that criminals will rush to take advantage of any new change to the internet domain infrastructure that creates an opportunity for further transnational crime. In this particular case, while the threat potential is noteworthy, I suspect it is just as likely that ICANN and other large registrars will act quickly to try to address the problem. Smaller level domain registrars, however, may however be slower to prepare for any such potential exploit. No doubt the criminals will at least try to exploit the linguistic changes, which should make 2010 an interesting year for a new range of potential attacks.
Gizmodo Story Follows below:
How Non-Latin Domain Names Could Be Used to Steal Your Money
Unicode is great because it supports multiple languages simultaneously, bringing international understanding, universal peace, and planetary love. And so is ICANN’s decision to allow domain names that use non-Latin alphabets. Until both combine to steal your credit card numbers.
Or your login name, passwords, address, or whatever other data a phishing site can get from you.
Until now, there was an easy way to test if a site was legit or not: You just look at the browser URL. If it’s not paypal.com or amazon.com or whatever.com, then it’s not those companies’ web sites, no matter how well they clone their layout and graphics.
The problem will come in 2010. That’s when sites’ URLs would start popping in non-Latin alphabets like Cyrillic. And that’s when there will be cases of mistaken identity: Just check the image above, in which the russian word “raural” becomes “paypal.” According to trademark expert Charlie Abrahams, of MarkMonitor:
The risk for general brand abuse is going to increase exponentially. It’s difficult enough in English. At present, most e-mail phishing does not use anything that resembles the real site name. We could see the level of sophistication in phishing attacks increased by the use of foreign languages.
Can you see what this is going to be bring? Yes, unless someone comes up with rules soon, this will bring a big bag full of hurt. [The Times via Masable]
Note: To those readers who said there’s no “l” in the Cyrillic alphabet, you are right, there’s no “l” in traditional Cyrillic, but there is in the extended Cyrillic supported by Unicode.
By Jesus Diaz, Gizmodo.
