Chrome’s hidden lookalike detection feature battles URL imposters

Most of us have suffered from fat-fingered browsing before, mistyping website URLs and getting taken to the wrong place. Some of us have fallen victim to hyperlinks that look like legitimate websites at first glance but which are deliberately misspelled. Now, Chrome will try to save us from lookalike sites by detecting them and flagging up a warning.

Google has given its web browser a new feature that checks before it sends you to misspelled versions of popular sites. The feature, first called “Navigation suggestions for Lookalike URLs”, reportedly appeared in the Canary release of Chrome 70. Canary releases test new features on early adopter users so that Google can refine them before releasing them into the mainstream.

When activated, the security measure checks for misspelled sites, where it’s likely that the user intended to visit a popular url. It will display a link to the site that it thinks the user might have wanted to visit.

Sometimes, users intentionally mistype websites. The letter o on your keyboard is close enough to the zero that typing g00gle.com could be a legitimate mistake. More often, criminals deliberately register misspelled versions of websites for phishing or malware attacks, in an process known as typosquatting. By substituting a 1 for an l, or by transposing characters, attackers can create domains – and sites – that look real, using them for phishing attacks.

The other danger is the IDN homograph attack. An attacker registers a domain name in ASCII that browsers convert to Unicode, which is a standard for displaying writing in many non-Latin alphabets such as Greek or Cyrillic.

IDN homographs enable someone to register a seemingly gibberish domain name and get the browser to display a domain that looks a lot like a regular site, in a conversion process known as punycode. So, xn--mxail5aa.com becomes αρριε.com. Chrome and other browsers each have their own rules when it comes to whether they convert punycode, and they can be pretty convoluted as browser vendors do their best to avoid security problems while respecting legitimate cultural usage.

Chrome’s new feature will use a site’s popularity along with any site engagement score that it has to help detect a misspelled site and recognize the right one. The browser gives a URL a site engagement score if it sees a user spending a lot of time on the site.

I tested the browser’s lookalike detection in version 72 (now Chrome’s stable release channel), which still had to be turned on by entering this command into the address bar:

chrome://flags/#enable-lookalike-url-navigation-suggestions

The feature caught paypai.com, asking whether we wanted to visit paypal.com. It did the same for pay-pal.com and paypal.om. However, it missed paypa|.com, and αρριε.com.

This will hopefully go some way towards introducing more security into the URL system, which Google has said in the past has major security problems. In September, its expert suggested that it might be time to replace URLs with something else that isn’t prone to problems like these. At the time, Wired quoted Google technical lead Emily Stark, who called the security issues the URLephant in the room. That is also the name for a presentation that she gave describing the lookalike detection system at Usenix last week.