By the middle of next year, the lock that Latin alphabets have had on Internet domain names will be broken, when a plan announced last week by the International Corporation for Assigned Names and Numbers, better known as ICANN, is implemented. That prospect may have phishers licking their lips.

The move–claimed by ICANN as the biggest technical change in the 40-year history of the Internet–will allow domain names to be created in languages such as Arabic, Korean, Greek, Hindi, Japanese and Cyrillic. It was initially approved in 2008, but finalization won’t be completed until the organization wraps up its conference in Seoul, Korea. While the new non-Latin alphabet addresses won’t start appearing until next year, ICANN expects to see applications for the domains appearing as early as next month.

ICANN estimates that more than half of the Internet’s 1.6 billion surfers use non-Latin alphabets and that the acceptance of those alphabets in domain names will save 60 billion to 100 billion keystrokes a day by averting the need to type country codes in Web addresses. Some countries are already using their native alphabets in domain names, but their country codes are in a Latin letter set. Bulgaria, for example, uses Cyrilic, but uses .bg for its country code.

ICANN has been testing the new technology behind the change for two years–a process that phishers are keenly aware of. They’ve exploited a variation of a technique, called URL spoofing, that leverages non-Latin characters in domain names to divert unsuspecting Websters to malicious Internet sites to rip off their personal information and infect their computers with malware.

URL spoofing substitutes an outlaw Web address for a legitimate one. A simple way to do that is to exploit the state of spelling among English-speaking people. A site like eddiebaur.com might fool the eye of a casual Web surfer looking for outdoor gear from Eddie Bauer. Gaps in domain coverage can also aid spoofers. Who can forget the adult website owner who registered whitehouse.com and siphoned traffic intended for whitehouse.gov? Poor screen typography has also been a rich source of exploitation for phishers. For example, g00gle.com can appear to be google.com in some screen fonts.

With the addition of International Domain Names, which ICANN will be expanding next year, phishers found another way to disguise their spoofing by taking advantage of similarities between some of the characters in foreign and Latin alphabets. What makes that approach superior to other typographic tricks is that a target may have no way of knowing that he or she is headed to a spoofed address. That’s because in certain fonts foreign characters look like Latin characters. For example, a Cyrillic “o” will look like its Latin counterpart in many fonts. While a netizen may not be able to distinguish between the two o’s, his or her browser can, and it will act accordingly, taking the unwitting cybertraveler to some Internet back alley where he or she can be fleeced.

ICANN has believed for a long time that homographic attacks that exploit IDNs are a manageable problem. For example, it noted in a statement released in 2005:

“While the recent publicising of the IDN-based homograph attack potential has brought this issue to wider public attention, the possibilities of the expansion of homograph exploits has been a topic of research and discussion within the ICANN community since before the adoption of IDN standards. Significant work has been done to define implementation practices such as IDN Language Registry Tables, and guidelines for restricting or managing mixed-character-set domain name registrations.”

“ICANN is concerned about the potential exacerbation of homograph domain name spoofing as IDNs become more widespread,” it added, “and is equally concerned about the implementation of countermeasures that may unnecessarily restrict the use and availability of IDNs.”

Despite ICANN’s optimism, the verdict will reamin out on how manageable the spoofing problem is until cyberspace starts getting flooded with IDNs and the phishers start working their malevolence on them.

Phishing is becoming increasingly popular among Black Hats as a vehicle for Internet crime. The Anti-Phishing Working Group, in an analysis released last month, noted that unique phishing reports submitted to the organization hit an all time high of 37,758 in May. The number of phishing websites also peaked during the first six months of this year, reaching 49,084, the highest figure since April 2007, when a record 55,643 sites were reported.

The APWG also revealed that the unique instances of domains used to target specific brands reached an all time high of 21,085 in June, a 92 percent increase over January of this year.