Pixel Envy

Written by Nick Heer.

Phishing With Unicode Domains

Xudong Zheng:

Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters. For example, the domain “xn--s7y.co” is equivalent to “短.co”.

From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as “xn--pple-43d.com”, which is equivalent to “аpple.com”. It may not be obvious at first glance, but “аpple.com” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0041). This is known as a homograph attack.

Unlike Chrome and Firefox, Safari displays the punycode version of domains that use characters from the extended Unicode set — that is, instead of displaying “аррӏе.com”, it shows “xn--80ak6aa92e.com”. However, this is arguably problematic for domains that legitimately use homographic characters. The Cyrillic alphabet is full of characters that look identical to Latin letters.

The way this bug was fixed in Chromium is to see if the entire domain is a Latin lookalike and uses a TLD like .com, .net, or .org.

Update: My description above is inaccurate. Safari has a security check in place to prevent fraudulent non-Latin Unicode domains from displaying; punycode won’t display when the domain is valid and legitimate on a TLD belonging to a Cyrillic-lanaguage country. Thank you to a reader for the correction.