You've probably gotten this advice many times: Before you click on a link, or certainly before you enter your username and password on a website, carefully check the URL that pops up in your browser's address bar to make sure it looks legit. For instance, if you get, say, an official looking email that claims to be from Apple inviting you to click a link and sign into your account, and you click on the link but look in the URL and see a bunch of gobbledygook, you know to close the page right away. You should especially not enter your password because the site is likely a "phishing" site, designed to steal your password for later misuse. On the other hand, if you click on the link and see a URL that begins "https://www.apple.com," you know you can relax. You're at the real Apple site.
Or maybe not. As web developer Xudong Zheng posted in his blog earlier this week, a URL can look for all the world like it's real and still be fake. To prove it, he offers this link that looks for all the world like "https://www.apple.com." Click on it, look in your browser address bar, and you'll see. But it doesn't actually say "www.apple.com."
The reason is a tool called Punycode, a very legitimate and useful tool that helps developers render non-English symbols (such as Chinese characters) in web addresses--even though web addresses can only be expressed in ASCII characters. Punycode works, for instance, with the Cyrillic characters used in the Russian alphabet, many of which look similar or identical to letters in the English alphabet. Thus, Zheng explains, the "a" in his fake URL is really a Cyrillic a, not an English a. If you were to copy and paste that fake URL into a word processor or some such, you'd get: "https://www.xn--80ak6aa92e.com/." That's code that tells Punycode to render the Cyrillic characters in a "homograph" that look deceptively like our English ones.
So far, phishers haven't taken advantage of this vulnerability so far as we know, but they could at any time. Zheng explains in his blog post about it that Opera, Firefox, and Chrome have the vulnerability, but Safari does not. It was reported to Google, which has fixed the problem in its latest Chrome release that is now rolling out to users but you may not have that version yet. Internet Explorer can be fooled with this ploy only if you have the relevant language enabled in your settings. Mozilla isn't fixing the vulnerability for now, but Zheng's post described a setting you can change to protect yourself in its browser Firefox.
It is, of course, always safest to avoid scam sites altogether. But it's particularly important not to enter your username, password, or other information into a scam site because its purpose is probably to collect that information for illicit use. And, as Zheng points out, there are ways to make sure a legitimate looking site truly is the real thing before you enter any sensitive information:
1. Use a password manager.
Commercial password managers, password random password creators or even the password manager built into browsers like Google can't be fooled by fake URLs the way human eyes can.
2. Or use your fingers.
If Apple really is writing you and asking you to sign into your account for some reason, instead of clicking on the link, type "Apple" into your search bar, or "Apple.com" into your browser's address bar. (Check your spelling before you hit "Enter" though. There's a whole other category of scam sites that use common misspellings such as "aplpe" in the hopes of luring in the unwary.)