Simon Chester previously mentioned the Internet Corporation for Assigned Names and Numbers (ICANN) move towards Internationalised Domain Names.
One of the unanticipated consequences is how words in non-Latin scripts convert within browsers in unicode.
Nigel Kendall of the Times Online explains,
The problem for Western users is that the internet addresses of many well-known companies, such as Apple, Yahoo, Google and PayPal, can also be rendered to look identical in Cyrillic scripts, such as Russian.
To a Roman-reading eye, an e-mail containing a link to any one of these sites might appear genuine, while to a Russian-reading eye, “paypal”, for example, reads as “raural”. An e-mail link could thus lead to a clone site constructed by unscrupulous thieves, who could then use it to harvest personal and financial details, or to steal cash.
The risk for general brand abuse is going to increase exponentially. It’s difficult enough in English.
At present, most e-mail phishing does not use anything that resembles the real site name. We could see the level of sophistication in phishing attacks increased by the use of foreign languages.
I don’t know the Latin equivalent of the character placement — character viewer calls it CYRILLIC LETTER PALOCHKA and that or an uppercase I character in a sans serif font looks like a Latin l.
I don’t know the equivalent — but it looks like a) you can mix the two forms of domain — so have a mostly Cyrillic domain with a latin character) and b) there is character that looks the same as a lowercase l in Cyrillic.
It seems that ICANN is aware of the problem and is taking steps to monitor it, but some sites, like an IDN homograph of ebay, are already registered. Although PayPal might not pose a specific threat, it is an issue worth monitoring.