An important part of making sure your data is secure online is knowing what types of threats are out there. That’s why we wanted to let you know about a recent phishing attack that was widely reported a week ago. While the issue has since been resolved, there are still lessons to be learned from it.

Phishing attacks are when someone sends an email that includes an infected link, usually from an email address that looks familiar. Simply clicking on the link can lead to infecting the recipient’s computer or, alternatively, might lead to a site that looks familiar but is actually a clone. When the recipient puts in their login information, the hackers are able to steal their info.

Wordfence reports that the attack targeted Firefox and Chrome users and was particularly malicious because it used unicode to perfectly imitate real domains. Unicode is an international encoding standard that assigns a unique numeric value to every letter, digit, or symbol in the world. It makes it possible for every language in the world to translate to “computer speak,” or binary code.

For this attack, the hackers created domain names that appeared to look like legitimate domain names written in the Latin alphabet, but were in fact unicode symbols that corresponded with those letters. They then told Chrome to use the punycode encoding system to interpret their domain name, which is how it can look exactly like the real domain name. This is called an IDN homograph attack. They even purchased SSL certificates so that their fake sites had https connections, which are supposed to be “secure.” Unfortunately, they were secure — but secure for a fake domain.

All of this was originally reported on April 14. By April 19, Chrome released a new version of the browser that solved the issue by revealing the raw punycode instead of the translated domain name. If you’re a Chrome user, make sure you’re currently using the most recent update — 58.0.3029.81at the time of publication of this article — in order to be protected from this particular attack.

For Firefox users, there’s a way to fix the issue within the current browser. First, type about:config into the location bar. Then, search for “punycode,” without the quotation marks. This should bring up a parameter titled network.IDN_show_punycode which you need to change from true to false. Once you’ve done that, you should be protected.

The bigger issue here is the fact that it’s becoming more and more difficult to identify malicious links within emails. As a general rule, if you’re at all suspicious — or even if you just weren’t expecting an email with links in it — confirm directly with the sender of the email before you click on the link. You can also copy/paste a link address into Notepad or TextEdit, which will reveal a fake punycode address. And of course, don’t ever, ever respond to a request for sensitive information without speaking directly to the sender of the email first.

Photo courtesy of @oliverthomasklein.