For Apple users without latest security updates, the letter 'd' is not always the letter 'd'

Apple users advised to install the company's July security updates if they don't want to fall victims to IDN homograph phishing attacks.

Most Apple users install updates, but there's always a small group of people who, for various reasons, lag behind when it comes to installing updates, for one reason or another, legitimate, or not.

If you're one of the users in the latter category, then you should be aware that the letter "d" is not always the letter "d" when displayed inside the Safari address bar.

This might sound like a non-issue, but it's actually a very important problem that all Apple users who don't run the latest OS software need to be aware of, as they could fall victims to what security researchers call "IDN homograph attacks."

ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks

IDN homograph attacks happen when someone registers a domain using Unicode characters that look like standard Latin letters, but they are not. For example, coinḃase.com is an IDM homograph attack for coinbase.com (notice the dot above the letter b).

These lookalike domains are usually used for phishing, tricking users into thinking they accessed a legitimate site when they're on a cleverly crafted clone.

IDN homograph attacks have been an issue over the past year, and several incidents have been reported in the security news media about homograph attacks against cryptocurrency exchanges in 2017 and 2018 [1, 2, 3].

Driven by this new wave of homograph attacks, xisigr, a security researcher at Tencent Security Xuanwu Lab, has recently taken a look at how Apple products handle Unicode characters.

What the researcher found is that Apple does a good job with most Unicode characters, except one --which is the letter dum (ꝱ) (U+A771), part of the extended Latin alphabet character set.

The letter looks like a normal Latin lowercase letter 'd', except it comes with a lower apostrophe. But xisigr found that Safari did not render the small lower apostrophe, displaying the letter dum as a Latin letter d.

apple-letter-d-dum.png
Image: Tencent Security Xuanwu Lab
apple-letter-d-dum-hack.png
Image: Tencent Security Xuanwu Lab

The Tencent researcher reported his findings to Apple, who issued security updates in July for Safari, iOS, macOS, tvOS, and watchOS.

Unfortunately, users who have not applied those updates are still vulnerable to phishing attacks. An attacker can record domain names that include the letter dum and he can launch phishing campaigns against Apple users.

Xisigr says the issue should not be ignored because he found that the letter d is part of almost 25 percent of all Top 10,000 domains, providing attackers with a huge phishing surface.

Some of the domains that a phisher could impersonate include LinkedIn, Baidu, Dropbox, Adobe, WordPress, Reddit, or GoDaddy, just to name a few.

Furthermore, even if some domain registrars prevent users from registering domain names that contain Unicode characters, this limitation doesn't apply to the letter dum because it's part of the extended Latin character alphabet, and hence, is considered a standard Latin character.

If Apple users can't update, for the time being, they should at least take notice that the letter "d" in Safari's URL bar may not actually be "d" and they should use another browser to navigate the web until they can apply Apple's July security patches.

Related coverage:

Best Black Friday 2018 deals: