Sophisticated hackers have been exploiting vulnerabilities in Chrome and Firefox to trick even the most careful internet users into logging into fake domains for sites like Apple, Google, and Amazon.

Typically, a careful internet user would always check the domain of any site before logging in to ensure that the site does indeed read "apple.com" or "chase.com" in the address bar with a valid HTTPS connection. If the URLs were "apples.com" or "chaise.com," you'd know that they were probably phishing pages ready to steal your information.

However, with a phishing technique called a homograph attack, the URLs will look legit, but the content on the page you are loading comes from a different server. Xudong Zheng, an InfoSec researcher who wrote about this type of attack recently, noted that it is an "impossible to identify" bug in Firefox and Chrome used to steal a user's login credentials, financial information, and other sensitive information.

For instance, click on this demo link (it may not work if the server is overloaded) created by Zheng to see how easily a phishing attack could occur just by intercepting your browser's server before linking to a legitimate site.

How is this possible? With homoglyphs. The attack works by registering a domain name using Unicode-encoded characters that look identical to the ASCII equivalents of the site you want to phish. Although Unicode and ASCII characters are not identical to each other, Unicode is a superset of ASCII but generally doesn't fit into all of ASCII's characters.

To register Unicode characters in domain names, one simply needs to encode the characters with Punycode to come up with the ASCII equivalent that the International Domain Name system requires for registering domain names. As most modern browsers now automatically unencode the Punycode-encoded domain names in their address bars back into Unicode, they look functionally identical to the ASCII domains they're trying to impersonate.

It is possible to register domains such as "xn--pple-43d.com", which is equivalent to "apple.com". It may not be obvious at first glance, but [my] "apple.com" uses the Cyrillic "a" (U+0430) rather than the ASCII "a" (U+0041). — Xudong Zheng

So, when a spammer uses non-ASCII characters that look identical to their ASCII equivalents, you end up with scenarios where they can register specially crafted domain names that look like "chase.com" or "paypal.com" in your browser's address bar. This is how the current phishing attack — a homograph attack — is able to plague your browser.

Chrome and Firefox's browsers fail to recognize the impersonation of ASCII domains using Unicode that aren't on foreign TLDs, allowing for something as simple as a Cyrillic "a" to be used in place of the ASCII "a" on a dot com site. The two may look the same to the naked eye, but they are certainly not, and so the homoglyphic attack takes place. Your browser will read "apple.com," but if you copy and paste the link, it will actually look like xn--80ak6aa92e.com.

Zheng has alerted the teams behind both Chrome and Firefox. Chrome has proceeded to fix the loophole for Chrome 59 (currently in an advanced beta release), and the company is also working to include the fix for the upcoming Chrome 58 public release, which will be pushed out at the end of April. Firefox has yet to address this issue even though Zheng alerted the company's team back in January.

Initially, Mozilla had the issue listed as "WONTFIX" on Bugzilla, but then reopened the case; Zheng noted on April 14 that the Firefox browser remains vulnerable still.

In the meantime, there are a few steps you can take to prevent the bug from attacking your browser.