A brief update on my previous post about the announcement by ICANN to introduce website addresses with non-Latin characters. To begin with I thought it was great idea and could see no down side. It seems however that I didn’t think about it long enough because there is a possible downside that never occurred to me–and this downside is phishing. No, not the tedious task of luring piscine creatures onto a hook, but the more sinister act of luring unsuspecting internet users to undesirable sites. Often with the goal of spreading viruses or stealing data.
So how will using non-Latin script possibly increase the likelihood of phishing attacks? Well very simply, an unscrupulous person could substitute a letter from a well known internet address with a similar looking character from a non-Latin script, thereby creating a brand new website and possibly fooling the user to visiting his site instead.
An example of this may be to substitute a regular Latin letter w with a Thai letter พ (Por Paan). I am sure there are many more examples that are even closer and more confusing. This would allow someone to make the site ‘www.พired.com’ and people may not even notice that they are not going to the ‘wired.com’ that they are expecting.
On a more postive note though, I would expect that measures will be put in place to prevent this and I would suggest that script mixing not be allowed, and that each script be given its own [dot] suffix. If each script’s suffix (i.e. .com, .info etc.) is in the same script and is limited to that script then that would limit the possibilities of these phishing attacks.
Of course I am sure there already ‘Phishers’ thinking of ways to get round it.
So that’s how using non-Latin script could possibly increase the likelihood of phishing attacks. Nice explanation. Thanks for sharing.