Browsers such as Chrome, Firefox, and Opera are vulnerable to a new variation of an older attack that allows phishers to register and pass fake domains as the websites of legitimate services, such as Apple, Google, eBay, and others.
Discovered by Chinese security researcher Xudong Zheng, this is a variation of a homograph attack, first identified by Israeli researchers Evgeniy Gabrilovich and Alex Gontmakher, and known since 2001.
A homograph attackA few years back, ICANN voted to allow non-ASCII (Unicode) characters in web domains. Because some Unicode characters look the same, such as Cyrillic "а" (U+0430) and Latin "a" (U+0041), ICANN ruled that using Unicode characters would have led to confusions, and made it harder to distinguish legitimate domains from phishing sites.
That’s why, they voted to use Punycode instead of the real Unicode, in registering Unicode domains. Punycode is specifically equipped to handle this, as it's a standard for representing Unicode text using ASCII characters. For example, the Chinese character “短“ is represented in Punycode as “xn—s7y.”
By default, browser makers were supposed to read the Punycode URL and transform it into Unicode characters inside the browser. Nevertheless, browser makers were quick to understand that Punycode could be used to disguise phishing sites as legitimate sites.
Read more here: www.bleepingcomputer.com/news/security/chrome-firefox-and-opera-vulnerable-to-undetectable-phishing-attack/