Comrade! Russian URL Leads to Fake Apple Site

Here's a test: Click on "https://xn--80ak6aa92e.com". (Don't worry, it's safe.) Now look in the browser address bar. What is the URL now?

Credit: Tom's Guide

(Image credit: Tom's Guide)

If you're on Google Chrome or Mozilla Firefox, it will probably look very much like "https://www.apple.com". But those letters in "apple" are in fact Cyrillic characters reading "arrIe" with an uppercase "i", and the website, as you can see, has nothing to do with Apple.

Your browser has been fooled by a "homograph" attack, in which letters in a URL are replaced with similar-looking letters, often from non-Latin writing systems. Criminals and pranksters have been trying to trick web users with this for years, and web browsers have fought back, but Chrome and Firefox still are vulnerable in certain cases.

A malicious attacker could very easily have used the look-alike Apple URL to create a very convincing replica of the Apple login page as part of a phishing scam, and used it to steal thousands of Apple IDs and passwords. That could in turn have led to iPhones hijacked and held for ransom, private photos being released online, and other mayhem.

Credit: Tommaso Lizzul/Shutterstock

(Image credit: Tommaso Lizzul/Shutterstock)

So we have to thank Xudong Zheng, a New York-based software developer and college student, for registering the fake Apple domain and bringing this issue to the attention of Google and Mozilla. Mark Maunder, CEO of the WordPress security firm Wordfence, also explained the problem on his company blog.

MORE: Best Antivirus Software and Apps

Because the internet was developed largely by Americans, it uses the Latin alphabet for web addresses. That's not much help to the billions of people who use other writing systems, so workarounds exist to display certain addresses in Arabic, Chinese, Cyrillic, and so on. 

Such addresses look like gibberish in the Latin alphabet. But Firefox and Chrome will display them in those languages in which they make sense — as long as the characters in a URL all belong to the same writing system. Internet Explorer and Safari won't do this, and may not even open the pages.

As a result, you get look-alike URLs such as the one above. (Here's another: "https://www.xn--e1awd7f.com/".)

Apple Safari, Microsoft Edge and Microsoft Internet Explorer are immune to this, and the problem will be fixed in the next version of Chrome, due out by the end of April. But it's not clear when Firefox will fix this problem. For now, you can tweak your Firefox settings to display the true "Latin" URL by doing this:

1. Type "about:config" into the address bar and hit Enter or Return.

2. Click the button marked "I accept the risk!"

3. Type "punycode" into the search bar at the top of the resulting page, and hit Enter or Return.

4. Double-clock the resulting line, which should be named "network.IDN_show_punycode". The Value column should change from "false" to "true".

After this, your Firefox browser should render the fake Apple URL as the original https://xn--80ak6aa92e.com.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.