Genius Lynx

Phishing with 'punycode' - when letters look alike English.

Punycode is a distinct encoding used to change over Unicode characters to ASCII, which is a small, limited character set. Punycode is used to encode internationalized domain names (IDN).

Software that supports IDN is relied upon to identify certain types of patterns in domain names as viewing that they should not be translated as such but rather by the special conventions.

Assume, for instance, that we might want to enlist the Internet domain name containing the Greek word "téléphone" i.e. "phone" in English. Previously, such issues were settled basically by dropping the diacritic imprints (e.g. "telephone"). This is somewhat disappointing, if the diacritics truly have any kind of effect in the language. For languages that utilize a non-Latin content, the circumstance was considerably more awkward.

Since it would not have been reasonable to change the whole domain name system to utilize Unicode, a different strategy was created. Special notations (i.e. ASCII Compatible Encoding (ACE) prefix) that begin with "xn--" (letters "x" and "n" and two hyphen-less characters) are utilized to indicate that the technique of Punycode is utilized.

So assuming to include the Greek word "téléphone" i.e. "phone" in English, the domain name should contain "xn--tlphone-byab", which has ASCII characters and in this way does not make specialized issues. Internet browsers are required to work on so that if the client visits the domain with the word "téléphone", the browser internally applies Punycode to it. Then the browser utilizes this name to ask a domain name server (DNS) to state the numeric IP address to be used.

Punycode has raised some genuine security issues, as any technique for utilizing Unicode in domain names would. There have for some time been efforts to fool users by registering Internet domain names that look like others. For instance, somebody may register the domain name "examp1e.com" and send mass email/promotional messages containing a link to a website to that domain. Users may think they are going to example.com, particularly on the off chance that they see the domain name in a textual style that does not make a reasonable qualification between "1" (digit one) and "l" (lowercase letter "l"). At the point when the character collection is stretched out, there are considerably more potential outcomes for such traps.

In the Request for Comments (RFC), a formal document from the Internet Engineering Task Force (IETF), Punycode is defined in RFC 3492 as "Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)".

Well this article concludes to make the readers to be aware about the Punycode attacks and spams also termed as IDN spoofing, look-alike attack, homograph spoofing attacks, phishing attack. You can modify the browser settings to be safe/alert from punycode attack when you visit a website. The phishing vulnerability are already patched in Apple's Safari and Microsoft's Edge and Internet Explorer browser.

To fix them in Firefox and Chrome do the following:

  1. Firefox:
    • In the address bar, type 'about:config'.
    • Search for 'punycode'.
    • Look for preference name: network.IDN_show_punycode
    • Change the value from false to true.
  2. Chrome: Google is fixing the problem to identify IDN attack in the address bar. But you can download extensions for it. e.g. Punycode Alert.

No matter what browser you use, avoid clicking on hyperlinks in emails. Instead, take a smart step, type the destination address directly into your browser.

Published: November 02, 2020