Phishing or domain squatting is something that has been around for a while but people never stop to find new ways to trick users into handing them confidential data.

I never really got hit by any of that except for a few fishy links that looked like steamcommunity.com but for example there was an extra letter in the domain name. Now this way is easy to spot and usually your browser will block them anyways since their reported. A new way of luring people onto fake websites is Punycode. Well if I’m correct it’s not really new it just got some attention recently.

Take a look at the two urls. They are from two different websites, but they both look exactly the same, in fact I don’t remember which one is from the actual apple website anymore. That’s the power of punycode. It works in both Chrome and Firefox and any recent other browser. You can try it you yourself here (Test site: apple.com, Original: apple.com).

Punycode is used to allow special characters in urls like ü,ä,ö etc. but it also allows other characters from other alphabets that look exactly like the latin alphabet. Now while this sometimes is a useful feature it’s rarely used and it’s making it hard to tell the difference. In this case the entire domain is written in cyrillic letters (You can only really see it on the l). This way most browsers won’t see it as a phishing domain.

Depending on your operating system it might be that the current font will give away the fact that the url is not actually apple.com but on windows you won’t be able to tell. Both sites use https and have a working certificate making them look completely identical at first glance. Firefox also shows what certificate is used which can tell you whether or not you’re looking at the original site since it’ll say “Apple Inc. (US)” in the URL bar. That doesn’t happend with all URLs though so it’s not a consistent way of identifying phishing sites.

A way to dodge punycode phishing

Firefox allows you to disable punycode which is the easiest way, but it’ll also make normal website look a little off. Here’s how to disable it:

  1. Type about:config into the address bar (Accept the message if it shows up)
  2. Search for “puny”
  3. Set the value “network.IDN_show_punycode” to true
  4. Done.

Now the previous website’s URL will look like this: https://www.xn--80ak6aa92e.com/ instead of apple.com.

I’m not sure about chrome but there’s probably a way for it too but you’ll have to look for it yourself.

For the initial article and further reading (which is also linked on the testing domain) go here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s