Punycode Attacks

How and Why

The original Internet was ASCII only, which isn’t really surprising, as it was built in the United States, and English is a language that can be written entirely in characters in the ASCII set.[1] Punycode is a system for converting words that can’t be written in ASCII (American Standard Code for Information Interchange) such as Ancient Greek, Armenian, Cyrillic or Chinese alphabets.

This conversion method is very useful in DNS (Domain Name System) because DNS which is responsible for converting domain names in to IP addresses is only capable of recognizing ASCII characters in domain names.

Using this conversion method international domain names (IDNs) which uses non-ASCII characters can be displayed only using Roman letters from A to Z, numbers from 0 to 9 and “- “character.

The Punycode method was created so that languages with a wider set of characters, could also use the DNS. Basically, Punycode is an encryption method that converts Unicode characters used by IDNs into ASCII characters.

What has changed

Years ago, ICANN allowed Unicode characters to be included in web domains and it didn’t take much time for them to realize that this decision is going to make problems as certain characters from different languages can be confused for Unicode since they look the same when rendered in the browser.

Some of the letters in the Roman alphabet are the same shape as letters in the Greek, Cyrillic and other alphabets. Examples are: the letters I, E, A, Y, T, O and N.

All of us check the green color padlock when browsing specially when we are purchasing something or doing banking because it lets us know that the site has TLS encryption, and no one will be able to eavesdrop on any data we submit. But it’s possible for an attacker to display that green color padlock and imitate a legitimate URL. Using this method an attacker could obtain a victim’s credentials or sensitive information very easily.

To counteract the issue, ICANN developed ‘Punycode’ as a way of specifying actual domain registrations by representing Unicode within the limited character subset of ASCII used for internet host names. The idea was that browsers would first read the Punycode URL and then transform it into displayable Unicode characters inside the browser.[4] Also, modern web browsers have introduced built in addons filters to render URLs in Punycode instead of Unicode.

The dangers of punycode

But researchers have found that if the whole domain name is in a one foreign language some browsers will render it in that language rather than in Punycode and this is considered as a loophole in Punycode and can be used as an attack vector. Cybercriminals leverage this feature of Punycode, using foreign characters to create unique domains that when rendered, look like well-known English URLs.

Try it yourself

Test it on your own browser. Copy and Paste xn--80ak6aa92e.com into the Address Bar of your browser and press ENTER. [5]

If your browser is displaying apple.com with a security certificate your browser is vulnerable for homograph attack. So, it’s a must to keep your browser up to date as these defense mechanisms will be included in security patches.

Although this particular attack may not directly impact a large number of individuals or organizations, it does serve as two important reminders. First, that there’s a lot of very intelligent people who are quite capable of creating new phishing and malware attacks that will successfully penetrate our systems, and that will never change. Second, organizations must aggressively and continuously upgrade their defenses to thwart the advanced attacks that will surely come.[6]

  1. https://www.symantec.com/connect/blogs/bad-guys-using-internationalized-domain-names-idns
  2. https://randed.com/punycode-attack/?lang=en
  3. https://securityintelligence.com/beware-of-the-latest-punycode-attacks/
  4. https://fraudwatchinternational.com/expert-explanations/punycode-phishing-part-1/
  5. https://www.xudongz.com/blog/2017/idn-phishing/
  6. https://www.lastline.com/blog/punycode-cyberattack/
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.