I was up early, checking my twitter feed, and I came across this.
They were a bunch of guys who decided to take letters in a domain name, and convert them to unicode. So they look visually the same, although they are actually completely different. I decided to give this a go.
I hopped over to the Hompglyph Attack Generator, put in imgur, and found a close enough match. Then I hopped on over to my favourite registrar and registered it.
Here is what it looks like i.imguʀ.com/ai8sch.jpg
Don’t worry, there isn’t some sketchy 0day or IP logger on there. I promise. I’m from the internet, you can trust me.
You may notice that when you copy and paste that into your URL bar, it will automatically resolve to i.imguʀ.com, that in fact is the domain I actually registered. These are known as unicode domains. They are supported by major browsers. A legitimate use of these would be emoji’s in the url.
I picked Imgur as people often use it to share images over IRC. If you throw in a link without a https:// prefix, they will just copy and paste it.
In fact, I tried it in the IRC and several people tried the link. It looks pretty innocent and would catch many people out. Thus, I hope this short overview of the potential for this attack is enough to help you keep your eyes open!