Punycode Attack

What is Punycode?

Punycode

noun

Unicode that converts words that cannot be written in ASCII, like the Greek word for thank you ‘ευχαριστώ’ into an ASCII encoding, like ‘xn--mxahn5algcq2e’ for use as domain names.

What does this actually mean?!

Writing with numbers

As with all things computers, it all boils down to numbers. Every letter, character or emoji we type has a unique binary number associated with it so that our computers can process them. ASCII, a character encoding standard, uses 7 bits to code up to 127 characters, enough to code the Alphabet in upper and lower case, numbers 0-9 and some additional special characters. Where ASCII falls down is that it does not support languages such as Greek, Hebrew, and Arabic for example, this is where Unicode comes in; it uses 32 bits to code up to 2,147,483,647 characters! Unicode gives us enough options to support any language and even our ever-growing collection of emojis.

So where does Punycode come in?

Punycode is a way of converting words that cannot be written in ASCII, into a Unicode ASCII encoding. Why would you want to do this? The global Domain Name System (DNS), the naming system for any resource connected to the internet, is limited to ASCII characters. With punycode, you can include non-ASCII characters within a domain name by creating “bootstring” encoding of unicode as part of a complicated encoding process.

 

How does a Punycode attack work?

Unicode characters can look the same to the naked eye but actually, have a different web address. Some letters in the Roman alphabet, used by the majority of modern languages, are the same shape as letters in Greek, Cyrillic, and other alphabets, so it’s easy for an attacker to launch a domain name that replaces some ASCII characters with Unicode characters. For example, you could swap a normal T for a Greek Tau: τ, the user would see the almost identical T symbol but the punycode behind this, read by the computer, is actually xn--5xa. Depending on how the browser renders this information in the address bar, these sneaky little characters are impossible for us humans to identify.

This is a technique is called a homograph attack, the URLs will look legitimate, and the content on the page might appear the same on the face of it but its actually a different website set up to steal the victim’s sensitive data or to infect the user’s device. These attacks use common techniques like phishing, forced downloads, and scams.

Just Browsing – Is Punycode an issue on all browsers?

By default, many web browsers use the xn-- prefix known as an ASCII compatible encoding prefix to indicate to the web browser that the domain uses punycode to represent unicode characters. This is a measure to defend against Homograph phishing attacks. However, not all browsers display the punycode prefix, leaving visitors none-the-wiser.

Hackers can exploit the vulnerability in the browsers that don’t use the prefix to display their fake domain names as the websites of legitimate services to steal login credentials, credit card numbers and other sensitive information from users.

In this example, Chinese security researcher Xudong Zheng discovered a loophole which allowed him to register the domain name xn--80ak6aa92e.com and bypass protection, which appears as “apple.com” by all vulnerable web browsers, which at the time included Chrome, Firefox, and Opera. Internet Explorer, Microsoft Edge, Apple Safari, Brave, and Vivaldi were not vulnerable.

Our current research shows the following behavior on the two major web browsers Chrome and Safari:

Do Punycode attacks work on Mobile Apps?

Punycode attacks can take place on both desktop and mobile, as the various browser developers tend to treat punycode the same across all platforms. In short, if they display unicode to a user on one device, they do it on all platforms. Most of the current research into punycode focuses on how browsers treat these domains, but our research goes beyond the browser, to demonstrate that the way apps treat punycode is just as important. In our testing, we observed deceptive punycode domains were not being flagged as suspicious by widely used communication and collaboration tools used by employees. We tested the following apps on iOS and Android devices: Gmail, Apple Mail, iMessage, Message+, Whatsapp, Facebook Messenger, Skype, and Instagram. Only Facebook Messenger, Instagram and Skype provided an opportunity for the user to identify the punycode URL by either showing a preview of the webpage with the xn prefix, or in the case of skype, by not providing a hyperlink for domains using unicode, meaning users can’t click through from the message. While these apps are not providing the best methods of defense, they at least provide an opportunity to asses suspicious links more closely.

Some of the collaboration apps that can deliver punycode attacks on mobile

So it seems that by displaying the deceptive unicode that the majority of apps are opting to deliver an enhanced user experience over providing security to catch malicious sites. Some of the responsibility should fall upon the developers of these apps to ensure multiple layers of security are enforced to effectively defend against these attacks.

Why are Punycode attacks a bigger problem on mobile?

Our research into Punycode attacks on mobile identified a number of new malicious domains (listed below). Not only are these sites hosting phishing attacks on domains that are visually deceptive to users, but they are optimized for mobile, meaning hackers are aware of the difficulties faced by mobile users in identifying deceptive URLs. By targeting mobile users, these attacks are resulting in more successful phishing campaigns.

Phishing attacks are generally more difficult to detect on mobile for a number of reasons, this becomes near impossible when punycode is introduced and displayed properly.

It’s getting emotional – How do Emoji domains factor in?

In the same way that special characters of different languages are encoded as punycode so too can the ever-growing library of emojis. An emoji domain is literally a domain with an emoji in it e.g. www.😉.com, punycode is essential for this.

Here’s a recent example identified by Wandera’s intelligent machine learning machine, MI:RIAM:

How can Punycode attacks use emojis? By using emojis a a hacker can hide elements of their copycat link that would otherwise look suspicious. Here lies a new opportunity for phishers to target a younger demographic with punycode phishing, used as a part of SMS-phishing campaigns, this could be a dangerous combination.

 20 Real life examples of Punycode with big brands

Wandera’s Zero-day phishing research has been identifying Punycode attacks since 2017. We’ve seen a 250% increase in the number of Punycode domains over the last 12 months:

Brand

What the user sees

The Punycode

Adidas

adıdas.de

http://xn--addas-o4a.de/

Aerlingus

aerlịngus.com

xn--aerlngus-j80d.com

Aerlingus

aeṛlingus.com

xn--aelingus-of0d.com

Air France

airfrạnce.com

xn--airfrnce-rx0d.com

British Airways

britishairẉays.com

xn--britishairays-541g.com

British Airways

britishạirways.com

xn--britishirways-of2g.com

Google

googåe.com

xn--googe-95a.com

Haribo

harıbo.com

xn--harbo-p4a.com

Iberia

ibeṛia.com

xn--ibeia-lp1b.com

IKEA

iƙea.com

xn--iea-f6a.com

Lidl

lidǀ.com

xn--lid-xbb.com

Milka

mılka.com

xn--mlka-lza.com

Milka

mılka.de

xn--mlka-lza.de

Rolex

rolẹx.com

xn--rolx-nu5a.com

Rolex

ro³ex.com

xn--roex-11a.com

Ryanair

ryanaır.de

xn--ryanar-t9a.de

Singapore Airlines

sıngaporeair.com

xn--sngaporeair-zzb.com

Spar

spaɾ.com

xn--spa-nxb.com

Starbucks

starɓucks.com

xn--starucks-hpd.com

Waitrose

waıtrose.com

xn--watrose-sfb.com

In some of the examples we have seen, the sites display competitions that offer prizes in exchange for sharing a link over whatsapp, and sometimes they redirect the user to other scam pages when the user hits the back button multiple times. In other cases the pages immediately redirect to other sites displaying app download advertisements of software updates.

Shortly after discovery and documentation, the content from most of these sites was removed. This is proof of how fast hackers are moving and is consistent with other forms of phishing attacks we are seeing.

Our research shows a new phishing site is created every 20 seconds and they are usually only live for four hours before hackers take them down and move on to create another deceiving domain. A clever way to cover their tracks and evade detection.

7 Ways to avoid a Punycode attack

  1. Be cautious if the site presses you to do something quickly. This is a classic strategy by hackers to rush their potential victims so that they are less likely to notice anything suspicious. Often they will offer a ‘limited time only’ deal, and make it difficult to exit the page with ‘are you sure you want to exit’ pop ups: these are all tactics to make you stay on their site longer and give them your details.

  2. If you are being offered a deal, go to the original company site and check if it’s available there as well, if not it’s mostly likely a scam doing it’s best to mimic the established brand and trick visitors into handing over their details.

  3. If some of the letters in the address bar look weird, or the website design looks different, rewrite it or visit the original company URL in a new tab to compare. The letters in the address bar looking strange is a key indicator that punycode is being used to trick you into thinking you are visiting a well-established brand site when in fact you are being taken to a malicious site.

  4. Use a password manager; this reduces the risk of pasting passwords into dodgy sites. 

  5. Force your browser to display Punycode names, this option is available in Firefox.

  6. Click on the padlock to view and inspect the HTTPS certificate.

  7. Use a mobile security solution,Wandera for example uses MI:RIAM’s machine learning and artificial intelligence to monitor all data traffic and to detect and block phishing links isuch as these.