Connect with us

Current Affairs

New phishing attack almost impossible to detect on Chrome, Firefox and Opera

Published

on

A Chinese infosec researcher, Xudong Zheng, has discovered a new phishing attack that is ‘almost impossible to detect’, which could deceive even the most careful users on the Internet.
He wrote on his blog that Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters. For example, the domain “xn--s7y.co” is equivalent to “短.co”.
From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as “xn--pple-43d.com”, which is equivalent to “аpple.com”. It may not be obvious at first glance, but “аpple.com” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0041). This is known as a homograph attack.
Fortunately modern browsers have mechanisms in place to limit IDN homograph attacks. The page IDN in Google Chrome highlights the conditions under which an IDN is displayed in its native Unicode form. In Chrome and Firefox, the Unicode form will be hidden if a domain label contains characters from multiple different languages. The “аpple.com” domain as described above will appear in its Punycode form as “xn--pple-43d.com” to limit confusion with the real “apple.com”.
Chrome’s (and Firefox’s) homograph protection mechanism unfortunately fails if every characters is replaced with a similar character from a single foreign language. The domain “аррӏе.com”, registered as “xn--80ak6aa92e.com”, bypasses the filter by only using Cyrillic characters.
“You can check this out yourself in the proof-of-concept using Chrome or Firefox. In many instances, the font in Chrome and Firefox makes the two domains visually indistinguishable,” Zheng wrote.
It becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate. This program nicely demonstrates the difference between the two sets of characters. Internet Explorer and Safari are fortunately not vulnerable.
Chrome

Chrome / source: xudongz.com

Zheng explained that this bug had been reported to Chrome and Firefox on 20 January 2017 and was fixed in the trunk of Chrome 59 (currently in Canary) on 24 March. The Chrome team has since decided to include the fix in Chrome 58, which should be available around 25 April.
Firefox

Firefox / source: xudongz.com

Firefox SSL / source: xudongz.com

The problem remains unaddressed in Firefox as they remain undecided whether it is within their scope.
However, Firefox users can limit their exposure to this bug by going to about:config and setting network.IDN_show_punycode to true. This will force Firefox to always display IDN domains in its Punycode form, making it possible to identify malicious domains.
“Thanks to /u/MARKZILLA on reddit for this solution,” Zheng acknowleged.
Firefox users can follow below-mentioned steps to manually apply temporarily mitigation:

Type about:config in address bar and press enter.

Type Punycode in the search bar.

Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to true.

image source: xudongz.com

“I hope Firefox will consider implementing a fix to this problem since this can cause serious confusion even for those who are extremely mindful of phishing,” Zheng said in his blog.
Opera
Unfortunately, there is no similar setting available in Opera to disable Punycode URL conversions manually, Zheng said.
He adviced, a simple way to limit the damage from bugs such as this is to always use a password manager. In general, users must be very careful and pay attention to the URL when entering personal information.
You can also follow Zheng on Twitter @Xudong_Zheng
 

Continue Reading
Click to comment
Subscribe
Notify of
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Current Affairs

Hotel Properties Limited suspends trading ahead of Ong Beng Seng’s court hearing

Hotel Properties Limited (HPL), co-founded by Mr Ong Beng Seng, has halted trading ahead of his court appearance today (4 October). The announcement was made by HPL’s company secretary at about 7.45am, citing a pending release of an announcement. Mr Ong faces one charge of abetting a public servant in obtaining gifts and another charge of obstruction of justice. He is due in court at 2.30pm.

Published

on

SINGAPORE: Hotel Properties Limited (HPL), the property and hotel developer co-founded by Mr Ong Beng Seng, has requested a trading halt ahead of the Singapore tycoon’s scheduled court appearance today (4 October) afternoon.

This announcement was made by HPL’s company secretary at approximately 7.45am, stating that the halt was due to a pending release of an announcement.

Mr Ong, who serves as HPL’s managing director and controlling shareholder, faces one charge under Section 165, accused of abetting a public servant in obtaining gifts, as well as one charge of obstruction of justice.

He is set to appear in court at 2.30pm on 4 October.

Ong’s charges stem from his involvement in a high-profile corruption case linked to former Singaporean transport minister S Iswaran.

The 80-year-old businessman was named in Iswaran’s initial graft charges earlier this year.

These charges alleged that Iswaran had corruptly received valuable gifts from Ong, including tickets to the 2022 Singapore Formula 1 Grand Prix, flights, and a hotel stay in Doha.

These gifts were allegedly provided to advance Ong’s business interests, particularly in securing contracts with the Singapore Tourism Board for the Singapore GP and the ABBA Voyage virtual concert.

Although Iswaran no longer faces the original corruption charges, the prosecution amended them to lesser charges under Section 165.

Iswaran pleaded guilty on 24 September, 2024, to four counts under this section, which covered over S$400,000 worth of gifts, including flight tickets, sports event access, and luxury items like whisky and wines.

Additionally, he faced one count of obstructing justice for repaying Ong for a Doha-Singapore flight shortly before the Corrupt Practices Investigation Bureau (CPIB) became involved.

On 3 October, Iswaran was sentenced to one year in jail by presiding judge Justice Vincent Hoong.

The prosecution had sought a sentence of six to seven months for all charges, while the defence had asked for a significantly reduced sentence of no more than eight weeks.

Ong, a Malaysian national based in Singapore, was arrested by CPIB in July 2023 and released on bail shortly thereafter. Although no charges were initially filed against him, Ong’s involvement in the case intensified following Iswaran’s guilty plea.

The Attorney-General’s Chambers (AGC) had earlier indicated that it would soon make a decision regarding Ong’s legal standing, which has now led to the current charges.

According to the statement of facts read during Iswaran’s conviction, Ong’s case came to light as part of a broader investigation into his associates, which revealed Iswaran’s use of Ong’s private jet for a flight from Singapore to Doha in December 2022.

CPIB investigators uncovered the flight manifest and seized the document.

Upon learning that the flight records had been obtained, Ong contacted Iswaran, advising him to arrange for Singapore GP to bill him for the flight.

Iswaran subsequently paid Singapore GP S$5,700 for the Doha-Singapore business class flight in May 2023, forming the basis of his obstruction of justice charge.

Mr Ong is recognised as the figure who brought Formula One to Singapore in 2008, marking the first night race in the sport’s history.

He holds the rights to the Singapore Grand Prix. Iswaran was the chairman of the F1 steering committee and acted as the chief negotiator with Singapore GP on business matters concerning the race.

 

Continue Reading

Current Affairs

Chee Soon Juan questions Shanmugam’s $88 million property sale amid silence from Mainstream Media

Dr Chee Soon Juan of the SDP raised concerns about the S$88 million sale of Mr K Shanmugam’s Good Class Bungalow at Astrid Hill, questioning transparency and the lack of mainstream media coverage. He called for clarity on the buyer, valuation, and potential conflicts of interest.

Published

on

On Sunday (22 Sep), Dr Chee Soon Juan, Secretary General of the Singapore Democratic Party (SDP), issued a public statement on Facebook, expressing concerns regarding the sale of Minister for Home Affairs and Law, Mr K Shanmugam’s Good Class Bungalow (GCB) at Astrid Hill.

Dr Chee questioned the transparency of the S$88 million transaction and the absence of mainstream media coverage despite widespread discussion online.

According to multiple reports cited by Dr Chee, Mr Shanmugam’s property was transferred in August 2023 to UBS Trustees (Singapore) Pte Ltd, which holds the property in trust under the Jasmine Villa Settlement.

Dr Chee’s statement focused on two primary concerns: the lack of response from Mr Shanmugam regarding the transaction and the silence of major media outlets, including Singapore Press Holdings and Mediacorp.

He argued that, given the ongoing public discourse and the relevance of property prices in Singapore, the sale of a high-value asset by a public official warranted further scrutiny.

In his Facebook post, Dr Chee posed several questions directed at Mr Shanmugam and the government:

  1. Who purchased the property, and is the buyer a Singaporean citizen?
  2. Who owns Jasmine Villa Settlement?
  3. Were former Prime Minister Lee Hsien Loong and current Prime Minister Lawrence Wong informed of the transaction, and what were their responses?
  4. How was it ensured that the funds were not linked to money laundering?
  5. How was the property’s valuation determined, and by whom?

The Astrid Hill property, originally purchased by Mr Shanmugam in 2003 for S$7.95 million, saw a significant increase in value, aligning with the high-end status of District 10, where it is located. The 3,170.7 square-meter property was sold for S$88 million in August 2023.

Dr Chee highlighted that, despite Mr Shanmugam’s detailed responses regarding the Ridout Road property, no such transparency had been offered in relation to the Astrid Hill sale.

He argued that the lack of mainstream media coverage was particularly concerning, as public interest in the sale is high. Dr Chee emphasized that property prices and housing affordability are critical issues in Singapore, and transparency from public officials is essential to maintain trust.

Dr Chee emphasized that the Ministerial Code of Conduct unambiguously states: “A Minister must scrupulously avoid any actual or apparent conflict of interest between his office and his private financial interests.”

He concluded his statement by reiterating the need for Mr Shanmugam to address the questions raised, as the matter involves not only the Minister himself but also the integrity of the government and its responsibility to the public.

The supposed sale of Mr Shamugam’s Astrid Hill property took place just a month after Mr Shanmugam spoke in Parliament over his rental of a state-owned bungalow at Ridout Road via a ministerial statement addressing potential conflicts of interest.

At that time, Mr Shanmugam explained that his decision to sell his home was due to concerns about over-investment in a single asset, noting that his financial planning prompted him to sell the property and move into rental accommodation.

The Ridout Road saga last year centred on concerns about Mr Shanmugam’s rental of a sprawling black-and-white colonial bungalow, occupying a massive plot of land, managed by the Singapore Land Authority (SLA), which he oversees in his capacity as Minister for Law. Minister for Foreign Affairs, Dr Vivian Balakrishnan, also rented a similarly expansive property nearby.

Mr Shanmugam is said to have recused himself from the decision-making process, and a subsequent investigation by the Corrupt Practices Investigation Bureau (CPIB) found no wrongdoing while Senior Minister Teo Chee Hean confirmed in Parliament that Mr Shanmugam had removed himself from any decisions involving the property.

As of now, Mr Shanmugam has not commented publicly on the sale of his Astrid Hill property.

Continue Reading

Trending