"You're not really at Paypal's web site; instead, you're viewing content served up by the Shmoos or Secunia. In the case of Shmoo, you're really at a site owned by Shmoo, with the domain name of www.pàypal.com - it's just that Firefox, Mozilla, Opera, Konqueror, and Safari don't display the real URL. [Editor's note: as of January 2005, SecurityFocus readers using Firefox (46%) eclipsed Internet Explorer users (44%) in our traffic logs for the first time ever.] Due to vagaries in the way that certain browsers use punycode to display URLs using homographs - letters from one character set that resemble letters in another) - it's incredibly easy to fool people into thinking they're at one site when they're actually at another. A new vector for phishing attacks! Wonderful! (And by the way - IE doesn't support the IDN spec yet, so it isn't vulnerable ... unless you installed the Verisign IDN plugin, which fortunately has an auto-update feature that we can hope will deliver a patch soon.)"
