Such attacks, of course, only work if Unicode domain names are allowed. This is one of the few times that Internet Explorer users are safer than Mozilla/Firefox users, as IE doesn't support international domain names out of the box. If you're using Firefox, you may be able to fix it by following the following procedure (via bOING bOING):
1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo again and notice it no longer works.
Of course, if you practice safe web access, you won't be entering your bank details or whatever after following a link (however kosher-looking) from an untrusted source in the first place, but only after having typed it in with your own hands or selected it from your local bookmarks.
That's quite ... nasty.
Though I think the SSL certificate issuer has a lot to answer for here--they shouldn't be issuing certificates with a similar name, let alone similar domain name, to anything that already exists. Or do they not actually do this check?
I'd assumed you wouldn't be able to get a certificate claiming to be from "Microsoft Corporation" or "MicroSoft Corp.", "Microsoft Inc.", etc. for *any* domain--is this not the case?