Weaponised Fonts (gardinerbryant.com)
from GMac@feddit.org to privacy@lemmy.ml on 30 Jun 15:21
https://feddit.org/post/31991058

Arguably more security than privacy, but this made me think. I havent considered the use of ambiguous fonts in phishing before. Worth reading.

#privacy

threaded - newest

desmosthenes@lemmy.world on 30 Jun 17:43 next collapse

that’s why mono fonts are best

merde@sh.itjust.works on 30 Jun 18:01 next collapse

And wouldn’t you know, the Wall Street Journal revealed that the Polymarket set up a fake version of their website and named it PoIymarket. (Did you catch it?)

PoIymarket (spelled with a capital “i” instead of a lower case “l”), is a fake version of their platform.

what difference a mono font would make with the I & l difference?

Megabit@lemmy.today on 30 Jun 18:25 collapse

It would make those characters more distinct. Should be able to see it here with a code line. The letter O and the number 0 also have more noticeable differences that go beyond what serif fonts can do

Capital I
Lowercase l 
Number 1
Capital O
Number 0
grandma@sh.itjust.works on 30 Jun 19:08 collapse

Doesn’t need to be mono to fix it. Look at Atkinson Hyperlegible

desmosthenes@lemmy.world on 30 Jun 19:20 collapse

mono fonts just address this consistently as opposed to case by case for sans serif type

freeman@feddit.org on 30 Jun 19:57 next collapse

i thought this is common knowledge with tech people. I heard years ago about swapping of the cyrillic „a“, maybe thats why.

AzuraTheSpellkissed@lemmy.blahaj.zone on 01 Jul 05:45 collapse
nekusoul@lemmy.nekusoul.de on 01 Jul 00:15 next collapse

While this is a very special and interestng use of this attack vector, I do think it often gets too much focus, mostly because it’s ignoring a much bigger problem: The average person doesn’t even know what the legit URL of a website should even be, and that starts with the TLD. Was it .com? Or maybe .org? Maybe some country-TLD or maybe one of the thousands of new TLDs like .world or .finance? If you don’t have a perfect memory of every URL of all the websites you’re using, being able to inspect the exact shape of each letter isn’t going to help you.

strawberry_enjoyer42@lemmy.blahaj.zone on 01 Jul 03:21 collapse

TIL I’m not the average web user. Not suprising, since I use Arch (btw), and I’ve done web dev projects. Do average people really just look up the url every time?

AzuraTheSpellkissed@lemmy.blahaj.zone on 01 Jul 05:40 collapse

My dad used to put “Google” in the omnibar (adressbar), hit enter, then click the first Yahoo search result for google.com, then enter his actual search query into Google.

strawberry_enjoyer42@lemmy.blahaj.zone on 01 Jul 06:48 collapse

Remarkable.

autonomous@lemmy.world on 01 Jul 08:30 next collapse

I̶̹͊̂ ̵̢̮̬̻͙̹̦͈̜͕̖̠̱͒̃͗̎̑̕͠o̸̧̬̜͚͕̠͍̓̾̉n̷̥͔͕͈̭̦̲͓̼͍̣̪̝͗̀̓͗͜ḷ̵̢̛̅̓̓̐͝y̶̧̨̢̠͙̰͍̖̞͍͙̳̩̠͈̋͋͒̍̏̓͂̋͘̚͘ ̴̢͎͇͍͉̗̭̎͜͠ṷ̴̱̺̣͚̱̀̄͆͛̈́̀͗͒̓̇̓̇s̶̠̮͂̌̾̋ͅe̸̡̢̛̦̻̙͉͂̓́̉̏̅̓̓̒̋͘͝ ̶̢̡̬̩̯̫̱̪̫͚̱͓͉̗͑͜Ż̶͕̮͔̙̜̞̕͝a̸̡͂͛̽̓͆͌̅l̶̛͖̼̲͚̳̓͐͂̊̒͂̄͂́̿̎̒͊̒̕ǵ̶̰̩̮̹̤̺̫̥̹̹͙̌͆͋̒o̶̧̲̟̬̻̳͖͗̉̈́̓͌͗̿̅͌̂͆̈͘̕̕ ̷̡̙̩̰̦̯̄́̿͠F̶͔͙̱̞̘̯͇͖͍̱͍͖̺̯͋́̑̓̀̈́͌̍̏͌̉̄̋̇͘͜͝o̵̮̫͖̙̟͈̬̽̃̔̇̔̈́́͒̏̃͐͘͘͘ͅn̶̨̞̠͖͓̗͕̙͈̙̥̟̈́̈́̔̃̓̿͂̆̈́̌ṱ̸̢̧̩̗̮͔͔̲̖̺̯͇̩̟̈́̈́͗̊̐̈́̐͆̽̄̂̔̇͒̚ͅ

highbank@lemmy.zip on 07 Jul 08:33 collapse

Just created an issue about this on URLCheck’s GitHub.