It has been brought to our attention that a dangerous exploit is out in the wild, called Punycode Phishing. We feel this is of sufficient major concern to bring to the attention of all Express Telephony customers as a matter of urgency.
In plain English: it is possible to register fake domain names/website addresses for almost any website using Punycode, yet the website will appear to be the original site in both Chrome and Firefox browsers. This could lead anyone to unknowingly enter secure and confidential details into a fake website rather than the original SAFE site. Although punycode has been around for years, certain browsers are not providing a defence against it in its current use.
For a more technical explanation and an illustrated walkthrough of the solution, please visit this link at Wordfence security blog
IMMEDIATE action is required on all devices running Chrome and Firefox browsers. This does NOT affect Internet Explorer or Safari. It does however also affect Office 365 users and has been reported to Microsoft since December 2016 but Office 365 is still vulnerable and users should be aware of this issue.
1) Please update Chrome to the latest version (57.0.2987 ) and Firefox (52.0.2) ON ALL DEVICES
Chrome are endeavouring to get out an updated version to the general public on or around 25th April so please check for Chrome updates and be aware that phishing attempts may be prevalent until then to exploit the vulnerability. There are Chrome extensions called Punycode Alert (from 13visio) and Punycode Domain Detection (from WarpDesign) which will attempt to alert you if Punycode phishing is being used in the meantime. (Warning: install at your own risk as these have been developed in a hurry).
2) To fix Firefox
- Open your Firefox browser
- Type about:config in the location bar
- Search for punycode
- There should be an entry called network.IDN_show_punycode
- Click on false and it will change to true
- Check that all is correct by clicking on this link which should now show as
rather than as
Many users do not have browsers set to automatically update and as this exploit can also be used with characters such as the /, there may be many who fall for this exploit in the coming months.
Basic Cybersecurity for All Businesses
We strongly recommend:
Never click on an unknown link either on a website or in an email
Keep all software including browsers up to date
Educate all users of your network and devices on cybersecurity issues
Stay aware of new cybersecurity issues
Back up, back up, back up.
Let´s be careful out there.
For more information on cybersecurity and keeping your devices and business safe, please get in touch. We now offer many safe and secure solutions for all aspects of business and telecoms.
The Express Telephony Team