!Be careful when logging in!

[Thirdspace]

www.google.com
and
www.google.com  (save to click, leading to non-existing page)

---snip---

www.binance.com

and
two different variations
www.binance.com   one Cyrillic "a" (save to click, leading to non-existing page)
www.binance.com   one Cyrillic "e"  (save to click, leading to non-existing page)

weird... on my pc they are all easily noticeable
when I mouse over the google one, on the bottom left corner it shows http://www.xn--ggle-55da.com/
and for binance, http://www.xn--binnce-5nf.com/ and http://www.xn--binanc-8of.com/
when I click to open the link, the url as I mentioned above shown on the address bar...
so I won't be fooled by these because the address is so obviously different than the real one
is my defective browser saving me from these possible cyrillic fake url?

[1715523989]

1715523989

[TheBeardedBaby]

Thats a new threat level that I havent though of yet. Is that possible? Can you really combine different alphabets in the address bar?
I have never seen a Cyrillic address or any other alphabet except latin letters.
Maybe some other users can give us some more info

Here is one Cyrillic domain for example >
http://дoмeйни.com/ Save to click, domain seller site.

weird... on my pc they are all easily noticeable
when I mouse over the google one, on the bottom left corner it shows http://www.xn--ggle-55da.com/
and for binance, http://www.xn--binnce-5nf.com/ and http://www.xn--binanc-8of.com/
when I click to open the link, the url as I mentioned above shown on the address bar...
so I won't be fooled by these because the address is so obviously different than the real one
is my defective browser saving me from these possible cyrillic fake url?

Yea I also notice it, but I also tested it with the one I have mentioned above, which is registered already and it shows it correctly. I guess there is something  to do with the DNS and the resolving of the host. I put it in my threat list.

I'll try to find a mixed one domain, I think I've seen one before but not 100% sure. If this is possible it is a quite dangerous.

[LtMotioN]

Guys another tip around this is to always check who the certificate is made out to. It is quite easy to get a "green lock". Make sure you always click on the "secure" button by the URL and make sure it shows the correct owner before you login anywhere.

I think though as a community we need to push binance  to register  all these fake domains themselves.. literally every possible fake iteration. If they have the domains registered then someone else can use them.

I will kick it off by sending them a ticket, I think its a good idea for us to all do this. It breaks my heart to see people get scammed out of 1000s of dollars or full bitcoins. Newbies getting scammed is not something we need in this space.

[denis-z12]

www.google.com
and
www.google.com  (save to click, leading to non-existing page)

---snip---

www.binance.com

and
two different variations
www.binance.com   one Cyrillic "a" (save to click, leading to non-existing page)
www.binance.com   one Cyrillic "e"  (save to click, leading to non-existing page)

weird... on my pc they are all easily noticeable
when I mouse over the google one, on the bottom left corner it shows http://www.xn--ggle-55da.com/
and for binance, http://www.xn--binnce-5nf.com/ and http://www.xn--binanc-8of.com/
when I click to open the link, the url as I mentioned above shown on the address bar...
so I won't be fooled by these because the address is so obviously different than the real one
is my defective browser saving me from these possible cyrillic fake url?

I see the same think when hoovering over the address with my mouse. But the letters are the same when you look at the address the way it is written.

[TheBeardedBaby]

After digging a little I found what I was looking for >  IDN homograph attack (link to wikipedia)

Just a short quote from Wikipedia.

The internationalized domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike (i.e., they are homographs, hence the term for the attack). For example, a regular user of example.com may be lured to click a link where the Latin A is replaced with the Cyrillic A.

This kind of spoofing attack is also known as script spoofing. Unicode incorporates numerous writing systems, and, for a number of reasons, similar-looking characters such as Greek O, Latin O, and Cyrillic O were not assigned the same code. Their incorrect or malicious usage is a possibility for security attacks.[1]

The registration of homographic domain names is akin to typosquatting, in that both forms of attacks use a similar-looking name to a more established domain to fool a user. The major difference is that in typosquatting the perpetrator relies on natural human typos, while in homograph spoofing the perpetrator intentionally deceives the web surfer with visually indistinguishable names. Indeed, it would be a rare accident for a web user to type, e.g., a Cyrillic letter within an otherwise English word such as "citibank". There are cases in which a registration can be both typosquatting and homograph spoofing; the pairs of l/I, i/j, and 0/O are all both close together on keyboards and bear a certain amount of resemblance to each other.

I learned something new today.

[gawer33]

that's why it's good if you tick remember me and never delete history the browser will automatically fill you to the most common site you visit. also to remember to bookmark it

[poptok1]

I see the same think when hoovering over the address with my mouse. But the letters are the same when you look at the address the way it is written.

Difference can be seen clearly as day, assuming one knows where to look or uses safe methods for browsing.

Since very long time firefox shows such spoofed characters in the status bar.
Opera is displaying them by default with their real code on page, Chrome is also secured.
Basically old internet explorer browsers are vulnerable to Homograph attack.

[chrisdan]

i almost didn't notice that is a phishing site.
better not click any links from received emails.

[TheBeardedBaby]

Difference can be seen clearly as day, assuming one knows where to look or uses safe methods for browsing.

Since very long time firefox shows such spoofed characters in the status bar.
Opera is displaying them by default with their real code on page, Chrome is also secured.
Basically old internet explorer browsers are vulnerable to Homograph attack.

I have done the same with already registered Cyrillic domain, see here, you can try it yourself.

Here is one Cyrillic domain for example >
http://дoмeйни.com/ Save to click, domain seller site.

It gives some room to such attacks due to the fact that you have some similar letters in both Latin and Cyrillic.

[Jet Cash]

Most surfers don't seem to understand the concept of direct navigation. I've done a lot to try to educate them, as of course it helps to preserve domainname values, but I've not had a lot of success. Google has done a lot of harm by creating the omni-box, and I suspect this is to allow it to fly paid advertising to surfers trying to go directly to a site. It also gives a scammer the chance to harvest the unwary. As long as they can get to a top listing on Google, then they can expect to pick up these surfers.

One good move is to report the site to Google. If enough people do this, then they will de-list it, or popup a warning.

[sncc]

The dangerous thing is that phishing sites sometimes appear on top of search results as advertisement.
The following image is an example from https://www.reddit.com/r/CryptoCurrency/comments/7oxqcn/phishing_alert_watch_out_for_a_binancecom/

https://i.redd.it/2f5hkalrnt801.png


The second one is the fake one as its URL has alpha instead of a.

Do not login from the advertisement of search results, always use bookmark.

[Rimcoin]

Thanks for the information if it works in english it works for others languages so it is necessary to be careful

[Dudeperfect]

Thanks for updating but it is something that is going on since last 2 years and it is sad that advance platforms like Google are misused for such attacks and even Google approves it without verifying the same. However, in such situation, I think it is our responsibility not only to protect ourselves but also to build awareness about it to help others to stay safe.

* PunyCode Domain Detection : I haven't used this extension before but I think this will definitely help us to detect Punycode domains used while phishing attacks.

[Tipestry]

Both of those sites are down as of now. I hope not many people got scammed while they lasted.

This type of thing is one of the reasons we need a way to leave comments on any site, to warn people about this stuff.

[chel0]

Newbie here. I am new in this bitcoin forum so I haven't binance account number yet. Anyway, thank you for sharing the fake website, it would be of great help to us newbies in our future exchange or trading. It reminds us all to be vigilant all the time.

[thehien05bk]

Great warning! thanks for your info!

[TryNinja]

Thats a new threat level that I havent though of yet. Is that possible? Can you really combine different alphabets in the address bar?
I have never seen a Cyrillic address or any other alphabet except latin letters.
Maybe some other users can give us some more info

You may want to check this reddit post: https://www.reddit.com/r/CryptoCurrency/comments/7ykzar/be_careful_of_spoof_exchanges_would_you_have/

A quick comment about the issue:

URL spoofing is a very, very serious problem. The fact that you can even use other non-latin alphabets such as Cyrillic in URLs, results in ultra-sophisticated scam scenarios that are almost impossible to detect. quote: "It is possible to register domains such as ‘xn--pple-43d.com’, which is equivalent to ‘apple.com’. It may not be obvious at first glance, but ‘apple.com’ uses the Cyrillic ‘a’ (U+0430) rather than the ASCII “a” (U+0041)". The technical term for this is Homographic attacks.

Although most major browsers have a way of warning users, it only works if the URL uses a mixture of alphabets.

source
How to protect yourself:

FYI there is a way to shield yourself somewhat from these attacks.

Chrome: https://chrome.google.com/webstore/detail/punycode-alert/djghjigfghekidjibckjmhbhhjeomlda

Firefox: Go to about:config and search for punycode, set network.IDN_show_punycode to true

You can use for example this link to check if you are protected: http://www.umeå.se/

On Firefox the address bar will display the punycode, and on Chrome with the plugin it will show an alert on the bottom right corner.
These are what I use, if someone else uses another browser and know other tips, share them!

source

[jerry0]

The person that posted the picture with the 2 binance links... is the first one legit or not?  Because when you google binance, you see that one with the ad and of course below that, there is the real binance site.  The first link i was told if you click on it, it has binance site but it has a referral id etc.  So is the first one real or not?

[jamids]

That's crazy! Thanks for the info. How did you access this fake site so I know not to do that? It looks pretty real other than those 2 dots under the n.

I saw this warning in facebook as well. Too many fake sites nowadays. This kind of sites usually appear when you search the site in google. The first one that appear is advertisement and if you don't check the URL and log in immediately, you will lose the coins in your account the moment you enter. This is the reason why I always book mark the sites that I use and access it from there always so that I can avoid using google to access the site because of this possibility. There is a case with myetherwallet as well changing the URL with special character.

[SevenSign]

https://i.imgur.com/Qf3nKiI.jpg


Be very careful where you enter your login data! HTTPS means nothing anymore.
Do you notice the small dots(.) below the letters n
If you enter your password in a fake site like that your coins and money are gone. And always have 2 factor authentication activated.

Stay Safe

What a great knowledge you have share for us to be aware this source truly can help us.
More power! God speed on you, all here!