There’s another phishing threat out there, a particularly nefarious one that takes advantage of how similar some foreign characters appear compared to our own alphabet. A web application developer has provided a proof-of-concept of the vulnerability using Apple’s domain name, or something that strongly resembles it when you realize that not all computers use just ASCII characters. What results is the Punycode phishing attack.
ASCII Versus Unicode
The abbreviated form of American Standard Code for Information Exchange is ASCII. It’s a way of representing text in computers. telecommunications equipment, and other devices. It was first developed from telegraph code, and it’s fairly limited in terms of which characters it can represent. In total, ASCII is capable of rendering 128 characters, which have to encompass not only the lower-case and upper-case letters of the alphabet, but also every numerical digit, commonly-used symbol (like &, $, #, @, etc.).
ASCII also includes special characters like the delete key on your keyboard, the carriage return, and many others. To make a long story short, the limitations of ASCII do not make it possible to include accented characters like ä, é, î, or any similar variants. Needless to say, the letters of completely foreign scripts like the Cyrillic character set are completely out of the question.
That’s why we came up with Unicode. Unicode is a much broader character set, and encompasses more than 128,000 characters covering 135 modern and historic scripts, along with multiple sets of symbols.
What Does the Internet Use?
Internet host names use ASCII, for the most part. However, recognition of the need to accommodate foreign languages has resulted in the creation of Punycode – a way to represent Unicode within the limited character subset of ASCII used for Internet host names. Punycode provides the means to incorporate names like München (the German name for the city of Munich) in a domain name in such a way that German readers will recognize it as such. In Punycode, München is encoded as “xn–mnich-kva”. On a browser that renders Punycode into Unicode, such a domain as “xn–mnich-kva.com” would appear as “münich.com”, as you can see in the below screenshot from Firefox.
Up Next: A Phishing Attack Using Punycode