Paypal v Paypal spot the difference

A new policy approved by the Internet Corporation for Assigned Names and Numbers (ICANN) that will allow non-Latin domain names to be registered in early to mid 2010. This is really exciting for Internet users in areas that use non-Latin alphabets (like Arabic, Japanese, Chinese and Cyrillic), who have spent the last fifteen years without full domain opportunities. However, as the Times Online pointed out this week, this international progress also has some potentially disastrous opportunities for scammers and phishing sites. This is because of the characters that render the same way (despite different meanings) in different scripts. For instance, Cyrillic scripts, which is the basis for the Russian language, shares some of the same letterforms as the Latin alphabet. What this means is that potential evil-doers could register a domain using non-Latin characters that appears to spell out a Latin word.

The Times Online article uses PayPal — already a frequent phishing target — as an example.

If the domain, created using Cyrillic scripts “raural.com” was registered, the way that Unicode-browsers will actually render that domain in latin is as “paypal.com.” In theory, phishers could pass around that link and set up a fake version of the PayPal site to harvest logins and credit card data.

Here’s a graphic for even better illustration of the problem: