We've all seen text on the web that looks almost like ASCII, but it's really very-similar characters from other alphabets like Cyrillic, right? These can appear in domain names too, and your browser will helpfully display them in Unicode.
So, yeah, that can be exploited. It's called a homograph attack.
Browsers display a URL with some special characters in its uglier, non-translated form, so you can tell. But there's a bug or feature, depending on whom you ask, that if the domain consists entirely of special characters from a single language, it all gets translated. You can see how that would be helpful to Internet users in Russia or Israel or China, but for those who surf using the Roman alphabet, it's a risk that even careful security-minded people can miss.
Chrome version 58 reportedly fixes the problem. Firefox isn't going to fix it, but there's an about:config setting you can change (set network.IDN_show_punycode to true).
This post from Ars Technica explains the problem in more detail.