This does look like a problem. Here’s an idea for an easy solution, though.
In the address bar, the browser could display both the address (as it does now) and the script name. Unicode is split up into different well-defined sections for different language scripts, so this shouldn’t be very difficult to implement. In the case of the Russian “raural” text that the article shows, you’d be able to tell that the site wasn’t really PayPal because you’d immediately see that it was from the Cyrillic section of Unicode, not the Latin section (which English uses) that you expected. Or you’d see that it was from mixed scripts, which would be a huge red flag in most cases.
It’s not a perfect solution, but it would allow moderately savvy Internet users protect themselves from this kind of thing.
If no one else attempts this, I might try writing a Firefox extension that does it, once Unicode domain names are possible.
Interesting. Really useful post. Thank you.