[Orpheus]

Another, more sophisticated, version of this scam came "live" a few months ago, when MSIE and the Mozilla family of browsers implemented IDN ("International Domain Naming", IIRC) IDN is an expansion of the "namespace" for DNS to include letters that are not in the ASCII character set.

Without going tinto technical details, suffice it to say that some of those letters look nearly identical to standard ASCII ("Roman" character set) letters. In some cases, there is no 'real' difference in appearance at all (e.g. any given display font may display them slightly differently, but that is entirely up to the font. A Moscovite would consider the Courier representanion of an ASCII capital "H" to be a perfect graphic represntations of the Cyrillic letter "H" (equivalent to the English "N") while a Greek would consider it a perfect typographical representation of the Greek leter eta (a Greek vowel)

Computers don't care how a letter look, to them a letter is a binary code whose appearance is incidental, depending on the font used. Humans, on the other hand, ONLY care how a letter looks. Human reading is purely visual.

I was pretty shocked that IDN was adopted with no solutions for the security implecations, which were well-discussed in the computer security commuity 10 years ago. (I suggest subscribing to Comp.Risks -- a highly regarded decades old technology risks discussion list for layman and experts alike. the quasi-weekly e-mails digests are funnier than most humor lists [they should call it "Machines gone Wild"] but far more enlightening.)

I suspect IDN was pushed through because of a sense of political correctness ["The Internet is not just an American playground, so domain names should reflect all alphabets, just as computer documents can, through e.g. Unicode"] and the problems probably weren't fixed because -- well, because it would be hard, if not impossible to fix: instant letter recognition in our native language(s) is drilled into us as toddlers, and reinforced every day of our lives. We have a lifetime of experience in recognizing hughly stylized and distorted fonts and reading them as the letter we expect.

Mozilla issued a patch revoking IDN support within days of implementing it. I believe MSIE did as well, but Outlook is still vulnerable -- as is ANY situation where you inspect a URL visually, though its *binary* value carries its true identity. This is conceptually the same problem that we saw years ago, with people registering domains like micros0ft.com or paypa1.com [with a numeral one, in place of the lowercase L]

I used the Cyrillic or Greek letters as examples because they are famous. The real risk probably lies in the dozens of other languages you've never heard of. How many ways can a character the looks like "a" be drawn and that scream "I am not an English 'a'? Not many.