Late on Saturday night , a news started floating (http://emaraṭalyoum.com/local-section/other/2017-07-29-1.1015498/) in Pakistan- that Raheel Sharif has been arrested in Saudi Arabia. It would become widely discussed in Pakistan’s journalist community on social media. These as some examples-
Sometimes you share something for news gathering purposes in case others know more. Everything one tweets isn’t supposed to be a conspiracy https://t.co/KtfVQJ1Ur8
— Mehreen Zahra-Malik (@mehreenzahra) July 29, 2017
— Umer Ali (@IamUmer1) July 29, 2017
) It would eventually turn out that the news is fake and showed a medium degree of technical sophistication on the part of fraud but one that would dupe most.
The news website seemed like that of a popular UAE media group Emaratalyoum. The fake news was out on a website that had a similar name – http://emaraṭalyoum.com . If you observe carefully, you’ll find that below the t in the domain name/URL, there is a dot. But in the address bar of the browser spotting such a minute difference on tiny sized text is not something that most people would normally be able to do.
There are two cases of the recent past of this. However in both the cases, cyber security researchers had pointed out the dangers of unicode domain names that give rise to such situations. But yesterday here we had it happening for real.
- https://www.xn--80ak6aa92e.com/ would be visible as apple.com in the address bar of your browser till newer version of the Chrome browser was released. This is due to “punycode” which makes it possible to register domain names or website names with non-English alphabet foreign characters. It converts domain label to an alternative format using only ASCII characters. For example, the domain “xn--pple-43d.com” is equivalent to “аpple.com”. It however has a small difference that may not be obvious at first glance. The “аpple.com” herr uses “а” in the the Cyrillic font (U+0430) rather than the ASCII “a” (U+0061). Such minute differences of font would be missed by most people. It is known as a “IDN homograph attack.” However back then Mozilla Firefox refused to look into this citing that this would render non-Latin(English alphabet) websites names unusable. The workaround in Firefox browser is by tweaking “about:config” settings, which most users won’t be able to do easily. It was first reported here in Ars Technica.
- http://xn--https-5w14d.cf/paypal.com would like ” 🔒https.cf/paypal.com.” This looks similar to the paypal website and the padlock is part of the domain name itself of the website that is trying to phish the actual payments website paypal!
Whois records of the fake website of UAE media group Emaratalyoum indicate that its domain was registered on the 12th of this month. It is registered under the name of Ryan Wong of Delaware, USA. The name and phone records might be fake as website domain registration doesn’t require proof of identity.
The UAE media group Emaratalyoum that was being impersonated released a statement on its website and highlighted the difference between the two t’s.
Is it time that measures like limiting characters for website (domain) names are taken by governing bodies like ICANN so that the internet stays free of large-scale potential for fraud?
Aveek Sen is an independent journalist working on cyber security and the geopolitics of India’s neighbourhood, focusing on Pakistan, Afghanistan, Iran and Bangladesh.
He tweets @aveeksen