Punycode Phishing Attack : Almost Impossible to Detect on Browsers

A phishing attack is when an attacker sends you an email with a hyperlink to a malicious dummy website which exactly resembles like a trusted site. When you click on the link it may infect your computer or you may be tricked into logging into the malicious site with credentials from a site you trust. The attacker then has access to your username, password and any other sensitive and confidential information. For example, www.icici bank.com looks like www.iclci.com in the email which attacker sent it to you where the third letter 'I' (upper case) with 'l' (lowercase). In some sites replace 'o' with '0' (Zero).

Internationalized Domain Names (IDNs)

Internationalized Domain Names (IDNs) are domain names that use characters other than the letters A-Z from the Latin alphabet. These types of domain names contain non-ASCII characters such as Chinese, Arabic, or Russian. IDNs allow international accessibility of the Internet by allowing users to register domain names in their own language and character set. They are handled in various ways by different web browsers. Usually, every browser implements his own algorithms for determining the display format of requested URLs and usually one of two options preferred below:
  • Display all URL characters using Unicode (native characters), or
  • Display all URL characters using Unicode if and only if all the characters belong to the same language that is chosen by user settings; display Punycode URL otherwise.


Punycode is a way to represent International Domain Names (IDNs) with the limited character set (A-Z, 0-9) supported by the domain name system. Punycode makes it possible to register domains with foreign characters. It is a special encoding used to encode internationalized domain names i.e. convert Unicode/non-ASCII characters to ASCII. In Layman's terms, this means that if you have a domain name with Chinese or other international characters/languages, you can register a domain name with normal A-Z characters that can allow a browser to represent that domain as international characters in the location bar. So in the above example, ‘e’ ‘p’ ‘i’ and ‘c’ are Unicode characters that look identical to the real characters but are different Unicode characters.
An IDN takes the Punycode encoding and adds a "xn--" in front of it. It lets the browser know that the domain uses ‘Punycode’ encoding to represent Unicode characters. Provided few examples below,
You can verify the same in Online Punycode converter in the following link https://www.punycoder.com/.

Phishing Attack with Punycode in IDNs

If your web browser is displaying "apple.com" in the address bar secured with SSL, but the content on the page is coming from another server, then your browser is vulnerable to the homograph attack.
A homograph attack that allows creating URLs with characters from various language sets. There are some characters from other languages are visually indistinguishable from characters in the English alphabet. Attackers can register their own domain names and own sites that are similar to the existing web addresses for stealing data from users who happened to visit them.
In the simplest version of such attacks, a fake URL may consist only of simple ASCII alphanumeric characters. The intruder uses symbols that are similar to each other. Often the letter q may be confused with g or o with 0. Many Unicode characters, which represents alphabets like Greek, Cyrillic, and Armenian in internationalized domain names, look the same as Latin letters to the casual eye but are treated differently by computers with the completely different web address. All non-Latin addresses need to be encoded in a special way to be handled by DNS servers using Punycode and all browsers translate non-ASCII URLs into Punycode in the background before performing a DNS lookup. By default, many web browsers use ‘Punycode’ encoding to represent Unicode characters in the URL to defend against Homograph phishing attacks.
For example, the Chinese domain "þƒ¡.co" is represented in Punycode as "xn--s7y.co".
Loophole: Researchers recently found that if the attacker chooses all characters for a domain name from a single foreign language character set, resembling exactly same as the targeted domain, then browsers will render it in the same language, instead of Punycode format. If the fake URL only includes one Punycode character, the browser will flag it as potentially dangerous. However, when all the letters of the URL are actually Unicode equivalents from another language, browsers will presume it’s a legitimate URL from a country that uses those characters.
For example, an “apple.com” that used the Cyrillic “a” would actually be written as “xn--pple-43d.com” when registered in vulnerable web browsers.

How to Prevent Against from these Phishing Attacks

The best defense against this attack is to check the address bar after the page has loaded and if it is being served over a valid HTTPS connection also by carefully inspecting the site's common name being present in the SSL certificate and its validity and issued by a trusted third party certificate authority.
Use of password manager software that creates, stores all your passwords for your computers, websites, applications and networks. It works by generating long, complex, unique password and stores them in encrypted form to protect the confidential data from attackers with physical access to your PC. The encrypted file is accessible only through a master password. So, all you need to do is remember just one master password to open your password manager and unlock all your other passwords, you do not want to memorize all. So whenever you came across any domain which looks like legitimate "apple.com" or "amazon.com" but actually is not, your password manager software will detect it and will not automatically authenticate you to that phishing site.
Moreover, users are always advised to manually type website addresses in the address bar for important sites like Gmail, banking websites, instead of clicking any link mentioned on some website or email or redirecting even from the google search, to prevent against such attacks. Until then, if you are not sure if you are on a real site you can copy the URL in the location bar and paste it into Notepad++ or text editor, it should appear as the https://xn--….. version or sometimes it turned to "www.????.com" if so it is a fake domain. Otherwise, it will appear as the real domain in its un-encoded form if it is the real thing.
Also in order to temporarily mitigate this attack and identify such phishing domains, users are recommended to disable Punycode support in their browsers which will force browsers to always display IDN domains in its Punycode form, making it possible to identify malicious domains. Luckily Firefox browser has this option enabled but unfortunately, there is no similar setting available in Chrome or Opera to disable Punycode URL conversions manually, so Chrome users have to wait for next few weeks to get patched Stable 58 release. IE is automatically protected since it shows the domain names always as Punycode.

Authored By - Venkatesh G
TCS Enterprise Security and Risk Management
Rate this article: 
Average: 4.2 (15 votes)
Article category: