The Punycode Phishing Attack on Web Browsers Ain’t So Puny

3 minute read
| Analysis

There’s another phishing threat out there, a particularly nefarious one that takes advantage of how similar some foreign characters appear compared to our own alphabet. A web application developer has provided a proof-of-concept of the vulnerability using Apple’s domain name, or something that strongly resembles it when you realize that not all computers use just ASCII characters. What results is the Punycode phishing attack.

Punycode phishing attack

Through a Punycode phishing attack, you could be tricked into thinking you’re on a major retailer’s website (Image Credit: Geralt)

ASCII Versus Unicode

The abbreviated form of American Standard Code for Information Exchange is ASCII. It’s a way of representing text in computers. telecommunications equipment, and other devices. It was first developed from telegraph code, and it’s fairly limited in terms of which characters it can represent. In total, ASCII is capable of rendering 128 characters, which have to encompass not only the lower-case and upper-case letters of the alphabet, but also every numerical digit, commonly-used symbol (like &, $, #, @, etc.).

ASCII also includes special characters like the delete key on your keyboard, the carriage return, and many others. To make a long story short, the limitations of ASCII do not make it possible to include accented characters like ä, é, î, or any similar variants. Needless to say, the letters of completely foreign scripts like the Cyrillic character set are completely out of the question.

That’s why we came up with Unicode. Unicode is a much broader character set, and encompasses more than 128,000 characters covering 135 modern and historic scripts, along with multiple sets of symbols.

What Does the Internet Use?

Internet host names use ASCII, for the most part. However, recognition of the need to accommodate foreign languages has resulted in the creation of Punycode – a way to represent Unicode within the limited character subset of ASCII used for Internet host names. Punycode provides the means to incorporate names like München (the German name for the city of Munich) in a domain name in such a way that German readers will recognize it as such. In Punycode, München is encoded as “xn–mnich-kva”. On a browser that renders Punycode into Unicode, such a domain as “xn–mnich-kva.com” would appear as “münich.com”, as you can see in the below screenshot from Firefox.

Punycode phishing attack

As you can see, the Punycode version of Münich becomes a Unicode character set in Firefox

Up Next: A Phishing Attack Using Punycode

2 Comments Add a comment

  1. John Kheit

    Thanks for the heads up Jeff! I’ve worried about the use of ‘spoof characters’ aka look-alike characters for a long while. Bottom line, don’t click on stuff. Either type out the URL yourself, or use one of your own saved links from having first typed it out before hand… The world we live in…

  2. wab95

    Thanks, Jeff.

    This is the kind of information one needs in order to make a truly informed decision on browser choice; something seemingly simple, but not so straight forward.

    @John: great advice about the URL. I have had occasion (just yesterday in fact on the eraCommons site managed by the National Institutes of Health) where a saved link has expired and earns you a ‘Page Not Found’ response, so learning to type it in is good etiquette.

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account