There’s another phishing threat out there, a particularly nefarious one that takes advantage of how similar some foreign characters appear compared to our own alphabet. A web application developer has provided a proof-of-concept of the vulnerability using Apple’s domain name, or something that strongly resembles it when you realize that not all computers use just ASCII characters. What results is the Punycode phishing attack.

Punycode phishing attack

Through a Punycode phishing attack, you could be tricked into thinking you’re on a major retailer’s website (Image Credit: Geralt)

ASCII Versus Unicode

The abbreviated form of American Standard Code for Information Exchange is ASCII. It’s a way of representing text in computers. telecommunications equipment, and other devices. It was first developed from telegraph code, and it’s fairly limited in terms of which characters it can represent. In total, ASCII is capable of rendering 128 characters, which have to encompass not only the lower-case and upper-case letters of the alphabet, but also every numerical digit, commonly-used symbol (like &, $, #, @, etc.).

ASCII also includes special characters like the delete key on your keyboard, the carriage return, and many others. To make a long story short, the limitations of ASCII do not make it possible to include accented characters like ä, é, î, or any similar variants. Needless to say, the letters of completely foreign scripts like the Cyrillic character set are completely out of the question.

That’s why we came up with Unicode. Unicode is a much broader character set, and encompasses more than 128,000 characters covering 135 modern and historic scripts, along with multiple sets of symbols.

What Does the Internet Use?

Internet host names use ASCII, for the most part. However, recognition of the need to accommodate foreign languages has resulted in the creation of Punycode – a way to represent Unicode within the limited character subset of ASCII used for Internet host names. Punycode provides the means to incorporate names like München (the German name for the city of Munich) in a domain name in such a way that German readers will recognize it as such. In Punycode, München is encoded as “xn–mnich-kva”. On a browser that renders Punycode into Unicode, such a domain as “xn–” would appear as “mü”, as you can see in the below screenshot from Firefox.

Punycode phishing attack

As you can see, the Punycode version of Münich becomes a Unicode character set in Firefox

Up Next: A Phishing Attack Using Punycode

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Oldest Most Voted
Inline Feedbacks
View all comments

Thanks, Jeff.

This is the kind of information one needs in order to make a truly informed decision on browser choice; s