Sophisticated hackers have been exploiting vulnerabilities in Chrome and Firefox to trick even the most careful internet users into logging into fake domains for sites like Apple, Google, and Amazon. Usually a spoofed webpage will utilize a domain name with a misspelling that is barely noticeable in the browser; but with a keen eye, however, you would be able to catch it. But what if the fake domain name is impossible for the naked eye to spot? This is the case with punycode attacks.

What is punycode and why is it important?

International Domain Names (IDNs) use a character set that is inclusive of accents, special characters and symbols. The Domain Name System (DNS) uses a different and more limited character set called ASCII (American Standard Code for Information Interchange). Something was needed to allow those regions of the world that use broad character sets (eg. Greece, China, etc) to use the same DNS as the rest of the internet. Thus we have Punycode – a method of encoding IDNs so they can be understood by the DNS.

The problem with unicode domains

Unicode characters (that represent characters of non-Roman alphabets in IDNs) look the same to the naked eye but have different web addresses and are treated differently by computers.

Some letters in the Roman alphabet are the same shape as letters in the Greek, Cyrillic and other alphabets, such as the letters I, E, A, Y, T, O for example. So it’s easy for an attacker to launch a domain name that replaces some ASCII characters with Unicode characters. Depending on how the browser renders this information in the address bar, these sneaky little characters are impossible for us humans to identify.

This is a technique called a homograph attack, the URLs will look legitimate, but the content on the page comes from a different server and may be set up to steal the victim’s sensitive data or to infect the user’s device. These attacks use common techniques like phishing, forced downloads and scams.

Can you spot the Unicode character in the domain?

Why is it a bigger problem on mobile?

Punycode attacks (otherwise known as Homograph attacks) can take place on both desktop and mobile, as the various browser developers tend to treat punycode the same across all platforms. In short, if they display unicode to a user on one device, they do it on all platforms. Our research into Punycode attacks on mobile identified a number of new malicious domains (listed below). Not only are these sites hosting phishing attacks on domains that are visually deceptive to users, but they are optimized for mobile, meaning hackers are aware of the difficulties faced by mobile users in identifying deceptive URLs. By targeting mobile users, these attacks are resulting in more successful phishing campaigns.

Phishing attacks are generally more difficult to detect on mobile for a number of reasons, which are only complicated when unicode is introduced and displayed properly.

  • Smaller screen size leaves less space to evaluate the legitimacy of a website
  • OS design typically hides the already tiny address bar as the user scrolls down to make room for to make room for page content
  • Distracted users tend to rush through various pages and notifications
  • There is no mouse-over or preview functionality, which prevents the user from seeing or evaluating the link destination before clicking

Which browsers are displaying Unicode domains?

By default, many web browsers use the xn-- prefix known as an ASCII compatible encoding prefix to indicate to the web browser that the domain uses punycode to represent Unicode characters which is a reasonable measure to defend against Homograph phishing attacks. However, not all browsers display the punycode prefix, leaving visitors none-the-wiser.

Hackers can exploit the vulnerability in those browsers that don’t use the prefix to display their fake domain names as the websites of legitimate services to steal login credentials, credit card numbers and other sensitive information from users.

In this example, Chinese security researcher Xudong Zheng discovered a loophole which allowed him to register the domain name xn--80ak6aa92e.com and bypass protection, which appears as “apple.com” by all vulnerable web browsers, which at the time included Chrome, Firefox, and Opera. Internet Explorer, Microsoft Edge, Apple Safari, Brave, and Vivaldi were not vulnerable.

Our current research shows the following behavior on the two major web browsers Chrome and Safari:

  • Chrome – often displays the untranslated punycode with the prefix. When it is not sure whether or not the site is suspicious, it will not translate into unicode but still allows you to go to the site. When it is sure the site is malicious, it will issue a warning “deceptive site ahead”.
  • Safari – most of the time translates the punycode to unicode characters. When it is sure that the site is malicious, it will issue a warning “deceptive site ahead” but still translates the punycode to unicode characters.

Most of the current research into punycode focuses on how browsers treat these domains, but this research goes beyond the browser, to demonstrate that the way apps treat punycode is just as important.

What’s new here?

In our testing, we observed deceptive punycode domains were not being flagged as suspicious by widely used communication and collaboration tools used by employees. We tested the following apps on iOS and Android devices: Gmail, Apple Mail, iMessage, Message+, Whatsapp, Facebook Messenger, Skype, and Instagram. Of this sample list, only Facebook Messenger, Instagram and Skype seem to provide an opportunity for the user to identify the punycode URL by either showing a preview of the webpage with the xn prefix, or in the case of skype, by not providing a hyperlink for domains using unicode, meaning users can’t click through from the message. While these apps are not providing the best methods of defense, they at least provide an opportunity for closer scrutiny of suspicious links.

Some of the collaboration apps that can deliver punycode attacks on mobile

So it seems that by displaying the deceptive Unicode these apps are opting to deliver an enhanced user experience over providing security to catch malicious sites. Some of the responsibility should fall upon the developers of these apps to ensure multiple layers of security are enforced to effectively defend against these attacks.

Spot the Unicode – if the app developers are always focused on a pretty user experience, where is the security?

What examples have we seen?

As part of our zero-day phishing research and development, we began identifying punycode attacks back in 2017. These domain names were mostly unrecognizable names. In the past 12 months we’ve seen a 250% increase in the number of punycode domains, and many of those now imitate well-known brands, likely because hackers know they are more likely to be trusted by victims.

Wandera’s threat research team discovered a number of malicious sites that were displaying unicode in the Chrome and Safari browsers without the xn prefix. Not only were they displaying the unicode characters, but they also contained malicious content.

Here are some examples below from known brands:

BrandWhat a vulnerable mobile app displaysDomain name used in ASCII (punycode) for DNS lookup to phishing site
Adidasadıdas.dehttp://xn--addas-o4a.de/
Aerlingusaerlịngus.comxn--aerlngus-j80d.com
Aerlingusaeṛlingus.comxn--aelingus-of0d.com
Air Franceairfrạnce.com xn--airfrnce-rx0d.com
British Airwaysbritishairẉays.comxn--britishairays-541g.com
British Airwaysbritishạirways.com xn--britishirways-of2g.com
Googlegoogĺe.comxn--googe-95a.com
Hariboharıbo.comxn--harbo-p4a.com
Iberiaibeṛia.comxn--ibeia-lp1b.com
IKEAiƙea.comxn--iea-f6a.com
Lidllidǀ.comxn--lid-xbb.com
Milkamılka.comxn--mlka-lza.com
Milkamılka.dexn--mlka-lza.de
Rolexrolẹx.comxn--rolx-nu5a.com
Rolexrołex.comxn--roex-11a.com
Ryanairryanaır.dexn--ryanar-t9a.de
Singapore Airlinessıngaporeair.comxn--sngaporeair-zzb.com
Sparspaɾ.comxn--spa-nxb.com
Starbucksstarɓucks.comxn--starucks-hpd.com
Waitrosewaıtrose.comxn--watrose-sfb.com

In some of the examples we have seen, the sites display competitions that offer prizes in exchange for sharing a link over whatsapp, and sometimes they redirect the user to other scam pages when the user hits the back button multiple times. In other cases the pages immediately redirect to other sites displaying app download advertisements of software updates.

The speed of phishing attacks

Shortly after discovery and documentation, the content from most of these sites was removed. This is proof of how fast hackers are moving and is consistent with other forms of phishing attacks we are seeing. Our research shows a new phishing site is created every 20 seconds and they are usually only live for four hours before hackers take them down and move on to create another deceiving domain. A clever way to cover their tracks and evade detection.

What should you do to protect against punycode attacks?

  • Be cautious if the site presses you to do something quickly
  • Go to the original company URL and check if the deal is available there as well
  • If some of the letters in the address bar look weird or the website design looks different try rewriting it or visiting the original company URL in a new tab to compare it
  • Use a password manager, which helps reduce the risk of pasting passwords into any spoof site
  • Force your browser to display punycode names, if that is an option available
  • Click on the padlock to view and inspect the HTTPS certificate
  • Use a mobile security solution

Is mobile phishing the biggest mobile security risk?

Phishing is not only far more prevalent than you might think, but it has also become a major security threat on mobile devices, not just desktop. Find out where phishing attacks are happening, in which apps, and on what operating systems.

Download now