This phishing attack displays the domains identically to legitimate websites in Chrome and Firefox, the fake domain in question is actually https://xn--e1awd7f.com but will display as https://www.epic.com in the address bar of both Firefox and Chrome.
How does this work?
The xn-- prefix is what is known as an ‘ASCII compatible encoding’ prefix. It lets the browser know that the domain uses ‘punycode’ encoding to represent Unicode characters. In non-techie speak, this means that if you have a domain name with Chinese or other international characters, you can register a domain name with normal A-Z characters that can allow a browser to represent that domain as international characters in the location bar.
What we have done above is used ‘e’ ‘p’ ‘i’ and ‘c’ unicode characters that look identical to the real characters but are different unicode characters. In the current version of Chrome, as long as all characters are unicode, it will show the domain in its internationalized form.
At the moment there is a manual fix for this in Firefox and Chrome is currently working on one that is currently in their Canary release:
go to about:config in the address bar
search for 'punycode'
change network.IDN_show_punycode from false to true
I'm getting the invalid certificate notice now, I am on Windows on my main system and booted up my other PC with Fedora 25 which hasn't been updated recently and had a ca-certificate update. Its nice to see that this has been caught at the certificate level and quite quickly.
Edit: @Dje4321 done some digging and turns out the ca-certificate update on Fedora was issued before the article above was published three days ago.
Hm since I'm at work we have Firefox 45.8.0 (ERS) here (Update is from 7th March), and the domain gets blocked by Firefox (not the network level) with the SSL_ERROR_BAD_CERT_DOMAIN so not sure why it worked for you...
the problem is that you are accessing xn--e1 ..bla bla domain without the www. the cert is for www.xn-e1 bla bla domain - if you add the www. it will work. (win10, win7, Ubuntu, Manjaro.. ) all firefoxes in current release are affected and chrome + chromium
Some of us in Pentesting knew about punnyPhish for about 3 years already. Nobody ever even attempted to fix it and likely it still won't be patched properly for a while. Certificates is all that will help you most of the time.
In IE8 (yes... we do this here...) funny enough it fails because it can't display the characters in the current language setting So I heard IE8 got more secure now.
Well, obviously. Opera is just a worse Chrome (I used to be Opera fan... good old times).
a colleague of mine just send me a link "xn--80ak6aa92e .com" Which sends you to an "apple.com" webside. This looks like the normal apple website in the URL but a few characters will be convertet from Cyrillic to "normal" letters and so the url looks legit at first sight.
Just wanted to let you know about this. Have a fine and save day fellow lurkers.