ICANN Infringe Trademarks in Unicode

Simon Chester previously mentioned the Internet Corporation for Assigned Names and Numbers (ICANN) move towards Internationalised Domain Names.

One of the unanticipated consequences is how words in non-Latin scripts convert within browsers in unicode.

Nigel Kendall of the Times Online explains,

The problem for Western users is that the internet addresses of many well-known companies, such as Apple, Yahoo, Google and PayPal, can also be rendered to look identical in Cyrillic scripts, such as Russian.

To a Roman-reading eye, an e-mail containing a link to any one of these sites might appear genuine, while to a Russian-reading eye, “paypal”, for example, reads as “raural”. An e-mail link could thus lead to a clone site constructed by unscrupulous thieves, who could then use it to harvest personal and financial details, or to steal cash.

Christina Warren provides a graphic here of how this looks like in unicode.

Kendall also quotes Charlie Abrahams of MarkMonitor,

The risk for general brand abuse is going to increase exponentially. It’s difficult enough in English.

At present, most e-mail phishing does not use anything that resembles the real site name. We could see the level of sophistication in phishing attacks increased by the use of foreign languages.

Update

One of the readers of Warren’s post points out the lack of a “l” character in Cyrillic to her and her response was,

I don’t know the Latin equivalent of the character placement — character viewer calls it CYRILLIC LETTER PALOCHKA and that or an uppercase I character in a sans serif font looks like a Latin l.

I don’t know the equivalent — but it looks like a) you can mix the two forms of domain — so have a mostly Cyrillic domain with a latin character) and b) there is character that looks the same as a lowercase l in Cyrillic.

Another reader states that this character is not allowed in domain names, and comments on Dean Collins’ article on the subject claims that mixed characters will not be allowed.

It seems that ICANN is aware of the problem and is taking steps to monitor it, but some sites, like an IDN homograph of ebay, are already registered. Although PayPal might not pose a specific threat, it is an issue worth monitoring.

Comments

  1. I’m sure this is possible, but this example is completely wrong. You cannot spell paypal in with Russian characters because there is no “l” character in Russian. “Raural” would be “раурал”.

  2. I wondered the same thing when trying to write “raural” myself on a Cyrillic keyboard online. My conclusion was that there is some character that I could not identify that translates to an “l” in unicode. I did not have the advantage that you do being fluent in Russian.

    I looked into the issue again, and updated the post above. Thanks.

  3. You can use translit.ru to play around with Cyrillic. You type in English, it spits out phonetic Russian. Anyway, the issue is worth monitoring, but it’s not as big a deal as some people are scared of. Not being able to mix alphabets really limits the damage that could be done. As long as a domain name has a q,w,r,i,s,f,g,j,l,z,v,or n, it’s completely safe from the Cyrillic alphabet.