My Social Engineering post mentioned the dangers of Phishing Attack and this article will describe one of the most lethal Phishing Attack Vector. Phishing Attack from a Known Domain Imagine you open facebook.com with a good looking green padlock followed by "secure" in your address bar and enter your credentials just to find out that you were being targeted by a Phishing Attack. Although this attack vector surfaced in 2017 but even after Q1 2018 , this Phishing Attack is still by far the most lethal of known phishing attacks This example demonstrates how\u00a0an attacker can register their own domain that looks identical to another company\u2019s domain in the browser. Wordfence\u00a0made a Proof of Concept (PoC) on\u00a0a healthcare site called \u2018epic.com\u2019 by registering their\u00a0own fake site. Visit the Phishing domain\u00a0in Chrome or Firefox and see the address bar for comparison you can visit the real epic.com. Notice the difference? Real epic.com in Chrome: Fake epic.com in Chrome: Real epic.com in Firefox: Fake epic.com in Firefox: Both of these domains\u00a0appear identical in the browser but they are completely different.\u00a0The fake epic.com domain is actually the domain https:\/\/xn--e1awd7f.com\/ but it appears in some browsers\u00a0as epic.com. The real epic.com is a healthcare website. Using a\u00a0unicode domain, Hackers\u00a0could clone the real epic.com website, then start emailing people and try to get them to sign into a fake healthcare website which would hand over their login credentials to them.\u00a0Hackers may then have full access to their healthcare records or other sensitive data. WordFence managed to get an\u00a0SSL certificate for this\u00a0demonstration attack domain from LetsEncrypt. Which enabled the\u00a0\u2018Secure\u2019 next to the fake\u00a0domain in Chrome and the little green lock symbol in Firefox. How this Phishing Attack Works? The xn-- prefix is what is known as an \u2018ASCII compatible encoding\u2019 prefix. It lets the browser know that the domain uses \u2018punycode\u2019 encoding to represent Unicode characters. In simple words, this means that if we\u00a0have a domain with Chinese or other foreign\u00a0characters,one can register a domain with normal A-Z characters that can allow a browser to represent that domain as international characters in the location bar. In this PoC Demo\u00a0\u2018e\u2019 \u2018p\u2019 \u2018i\u2019 and \u2018c\u2019 unicode characters that look identical to the real characters but are different unicode characters are used. In the current version of Chrome, as long as all characters are unicode, it will show the domain in its internationalized form. Fix this in Firefox: In your Firefox location bar, type about:config. Do a search for \u2018punycode\u2019. You should see a parameter titled:\u00a0network.IDN_show_punycode Change the value from\u00a0false\u00a0to\u00a0true. Now if you try to visit demo site you should see: Fix this in Chrome? Badluck. Chrome have already released a fix in their \u2018Canary\u2019 release, which is their test release. This should be released to the general public within the next few days. What should Chrome users do ? Copy the URL in the location bar and paste it into Notepad or TextEdit on Mac. It should appear as the https:\/\/xn--\u2026.. version if it is a fake domain. Otherwise it will appear as the real domain in its unencoded form if it is the real thing. Update: Chrome has fixed punnycode domains Safari and Edge Safari and Edge both browsers are safe from this attack vector. Have you ever witnessed phishing attack targeting you or your organization ? what was it and how you countered it ?