Test with the fake Apple domain https://www.xn--80ak6aa92e.com/ .
See "Phishing with Unicode Domains" for more information: https://www.xudongz.com/blog/2017/idn-phishing/ .
Also I'm not sure what effect that will have for Chinese users. It might make many of their URLs look strange to them.
There are tons. One prominent email provider is a three-digit number. There's a job board at 51job.com.
(What's 51job? Read in Mandarin, that would be "wǔ yāo job" [five one "job" (the English word)]. This is felt to sound similar to "wǒ yào job" 我要job [I want a job].)
幺 yāo is a common word for 1 when vocalizing a stream of digits. (Such as a phone number / credit card number / account number / etc.) I am told that this originated as a way to easily distinguish 1 from 7 (七 qī) when communicating over a low-quality connection. In the presence of static, yi and qi could sound similar.
CC-CEDICT has a good gloss ( https://www.mdbg.net/chinese/dictionary?page=worddict&wdrst=... ):
> one (unambiguous spoken form when spelling out numbers, esp. on telephone or in military)
None of them seem worth phishing for. In some cases when you google the site name, google will show results from sitename.tld and when you visit the site with the show_punycode true, it will actually load pages from the xn-- equivalent. So it looks like the "original" domain isn't even indexed or online at all.
In another case both the xn-- and "normal" domain sit side by side on the same server. I guess there's no harm in posting these:
cadzandie.be and xn--cadzandi-01a.be. Note there's no ë in the first domain
Another strange one is
When you type in remboursé.be it actually redirects (?) to the xn-- equivalent.
I'm fascinated but having a hard time seeing sense in this.
I've been calling people out-of-band for verification using phone numbers from past communications, even if I'm working on transactions that don't seem out of the ordinary. Not that SIM card fraud doesn't happen, but at least that adds another layer of security.
Email validation exists; gmail will let you know if email arrived over TLS or not. Validation that the source of an email matches the "From:" header is generally done by checking the domain's SPF record.
If you are using CAs then homoglyph attacks are the simplest of many attacks based on a system of minimal technical compliance.
in /etc/dnsmasq.conf add something like:
# Add domains which you want to force to an IP address here.
I wonder if anyone is doing this regularly. I didn't hear much about it after the initial fanfare.
How about digital signatures and end-to-end email encryption.
Pretty safe if people actually follow procedures