Threat Description

Punycode is a special encoding scheme for internationalized domain names, which makes it possible to register domains with foreign characters. It works by converting strings of Unicode (UTF-8) to American Standard Code for Information Interchange (ASCII) format. For example, the domain "xn--domain.com" is equivalent to ". com"

Punycode phishing

Using punycode, it is possible to register a domain like ‘xn--80ak6aa92e.com’, which clearly looks like ‘apple.com’ in the browser. This means that a user can be lead to a fake phishing website that simply appears to be “apple.com” because its registered in Unicode form. Such domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. These domains then can be used for phishing attacks as the domain names can trick the users. Many browsers have mechanisms to detect the Unicode domains and display them as text in the browser. Usually the Unicode form will be hidden if a domain label contains characters from multiple different languages. The "аpple.com" domain as described above will appear in its Punycode form as "xn-- 80ak6aa92e.com" in most of the browsers, to minimize confusion with the real "apple.com".

In browsers that fail to detect the Unicode domains, ‘xn--80ak6aa92e.com’ and ‘apple.com’ are indistinguishable. Such cases make it impossible to identify whether the site is fraudulent or not without inspecting the site's URL or SSL certificate. 

For further details, click the download button below!

DOWNLOAD BUTTON