Thanks to something called Punycode, phishers are able to register bogus domains that look identical to a real website. Take this proof-of-concept from software engineer Xudong Zheng, where apple.com won't take you to a store selling Macs, iPhones and iPads. The real website is actually https://www.xn--80ak6aa92e.com.

The xn-- prefix tells browsers like Chrome that the domain uses ASCII compatible encoding. It allows companies and individuals from countries with non-traditional alphabets to register a domain that contains A-Z characters but renders in their local language. For example, the domain "xn--s7y.co" would appear as "短.co" in Chinese browsers.

The issue was first reported to Google and Mozilla on January 20th and Google has issued a fix in Chrome 59. It's currently live in the Canary (advance beta release) but the search giant will likely make it available to all Chrome users soon.

Firefox users, on the other hand, may have to take things into their own hands. Mozilla is still undecided as to whether it will implement a dedicated patch. For now, users can plug about:config into the address bar and change the network.IDN_show_punycode attribute to true. That enables Firefox to show international domains in their Punycode form, making it easier to detect whether a website is phony.