That is an excellent idea! In fact, we've just implemented the billing service, so please go to http://cuttIeph1sh.com/account/billing, log in to your account and provide your payment information to continue receiving our phishing reports!

Cyrillic homographs[1] are your friend here :-)

http://сuttlерhish.com/account/billing

(PunyCode [2]: http://xn--uttlhish-f8g4if.com/account/billing )

Also, it seems that Firefox (v38.0.5 Windows) doesn't convert URL interpuncts (mid-dots) into punycode, so clicking on something like http://www.billing·cuttlephish.com/ doesn't actually rewrite the URL in the address bar. Chrome converts it to http://www.xn--billingcuttlephish-c4a.com/ .

[1]: https://en.wikipedia.org/wiki/IDN_homograph_attack

[2]: https://en.wikipedia.org/wiki/Punycode

Filed https://bugzilla.mozilla.org/show_bug.cgi?id=1178095, thanks!

No problem.

Out of interest, do the Firefox team and the Chromium team compare notes on decisions like this?

Purely in this one area (IDN homograph attacks), it might be an idea to look at the Chromium Unicode vetting rules (Which characters and combos get "punycoded") as they seem to be more conservative from a "Latin" perspective.

I'm not sure if a "blacklist" (mentioned in the bug report) is the best way of handling this. Perhaps only direct-encoding the "exemplar characters" for the language setting, and punycoding everything else? I'm pretty sure it would have eliminated the mid-dot issue, but perhaps this "whitelist" is too prohibitive.

You might be right--that would definitely help people get further into the flow before the high-friction "payment" step. (If I went the "pay to view report" route I'd obviously have to be super upfront about it; wouldn't want there to be an unpleasant surprise for people at the end of the flow).

One other thing I thought about was maybe making the service free for phishing up to N people.