Home & Office

Globalized domains to up phishing attacks

Launch of local language domain names not likely to significantly impact spam rates but can lead to more phishing attacks, warn security experts.
Written by Vivian Yeo, Contributor on

The upcoming launch of internationalized domain names (IDNs) is unlikely to have a significant impact on spam levels but may deliver a spike in phishing, security experts warned.

Momentum to introduce IDNs has stepped up over the last month, following moves by the ICANN (Internet Corporation for Assigned Names and Numbers) that introduced a fast-track process to allow countries and territories to offer non-Latin top-level domain (TLD) names.

Current domain names are based on the ASCII (American Standard Code for Information Interchange) script, which is based on the English alphabet.

In Singapore, the country's national registry for domain names, the Singapore Network Information Center, announced last month it would launch Chinese domains in phases starting from Nov. 23. DotAsia, the registry operator for ".asia", also said it would accept IDN registrations from the second half of 2010.

IT security professionals point out, though, that IDNs could push phishing volumes upward.

Manish Goel, CEO of BoxSentry, noted in an e-mail that widening the use of IDNs could increase the risk of "IDN homograph attacks", where cybercriminals substitute the numeric "1" for the letter "l".

"This may now be extended to the much wider range of homographs that exists across the Unicode character set [in different languages]," Goel said. "If this pans out, then spammers could send proportionately more phishing attacks than they do at present, with the intent of deceiving end-users into divulging their financial or other private credential data."

Concurring, Commtouch's vice president of products Asaf Greiner said certain phishing scams "may become more prevalent with the proliferation of IDNs".

He told ZDNet Asia in an e-mail that scammers are already using non-ASCII characters that are similar to ASCII counterparts. "In one case, scammers used the Cyrillic 'P' to direct users to a fake PayPal site, in hopes of stealing personal banking information," Greiner said.

He added that the company expects spammers to use non-ASCII characters in URLs contained in the body text of unsolicited messages, in a bid to bypass spam filters that do not recognize these characters. Such URLs, he noted, could link to spam and phishing sites or Web pages that carry embedded malware.

However, Ong Geok Meng, McAfee's antimalware research manager for Asia-Pacific and Japan, noted that improvements in URL filtering have led many phishers to employ a different tactics. Rather than ask the recipient to click on a Web site link, phishers attempt to lure the recipient to send their username and password to a specific e-mail address, Ong explained. "[As such,] I do not believe that the no-URL phish trend will be reversed by IDNs," he said in an e-mail.

He added that with the rollout of IDNs will make it more critical now for users to type the URL of a site they wish to visit, instead of simply clicking on a link. "Even if the link looks legitimate, with [IDN being introduced], it very well may not be."

Editorial standards