Malicious punycode lookalike domains

Punycode is a special encoding scheme for internationalized domain names, which makes it possible to register domains with foreign characters. It works by converting strings of Unicode (UTF-8) to American Standard Code for Information Interchange (ASCII) format. For example, the domain “xn — domain.com” is equivalent to “㯙㯜㯙㯟.com”

Punycode phishing

Using punycode, it is possible to register a domain like ‘xn — 80ak6aa92e.com’, which clearly looks like ‘apple.com’ in the browser. This means that a user can be lead to a fake phishing website that simply appears to be “apple.com” because its registered in Unicode form. Such domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. These domains then can be used for phishing attacks as the domain names can trick the users.

Many browsers have mechanisms to detect the Unicode domains and display them as text in the browser. Usually the Unicode form will be hidden if a domain label contains characters from multiple different languages. The “аpple.com” domain as described above will appear in its Punycode form as “xn — 80ak6aa92e.com” in most of the browsers, to minimize confusion with the real “apple.com”.

In browsers that fail to detect the Unicode domains, ‘xn — 80ak6aa92e.com’ and ‘apple.com’ are indistinguishable. Such cases make it impossible to identify whether the site is fraudulent or not without inspecting the site’s URL or SSL certificate.

Recommended Best Practices

• Use of a password manager, helps reduce the risk of pasting passwords into any incorrectly-named site. Password managers automatically detect the domain being used and offer to automatically fill in the login information. The browser might be fooled by the domain, but the password manager will not be. If it doesn’t offer to fill in the login information, there’s a good chance that it’s a fake website.
• For Firefox users, force the browser to always display punycode names.
• Click on the padlock in the browser to display the HTTPS certificate. This shows the domain name to which the certificate was issued using the DNS-friendly, ASCII-only format. If the name starts ‘xn — ’ then it is a punycode domain, regardless of what it may look like in the address bar.
• In general, users must be very careful and pay attention to the URL when entering personal information. Users should manually type the URL or navigate to sites via a search engine when in doubt. It is highly recommended that users manually type website URLs in the address bar for important sites like Gmail, Facebook, Twitter, Yahoo or banking websites, instead of clicking any link from a website or email. This will ensure the user visits the legitimate website.
• There are some third-party Chrome extensions/add-ons available on the App Store that notify/alerts users every time a website with Unicode characters in the domain is detected.