March 31, 2023 / By Securium Solutions
Internationalized Domain Names (IDN) enables domain names to be in local or regional languages (all non-Latin alphabets languages) like Devnagri, Chinese, and Arabic. Since DNS does not understand any non-ASCII characters, Punycode algorithm is used to convert regional or local language alphabets to Unicode enabling registering of IDNs domains.
This well intended functionality has a drawback. Punycode characters can be made to look exactly like normal English alphabets and be visibly same to human eye. This can be used to phish unaware users into clicking links that looks to be of genuine website but instead open another malicious website.
Are these two the same?
- o
- ο
Both visually seem to be are same but the first one is in English while the other is in French.
Entering the second as “http://o” in the web browser opens “http://xn--0xa”.
Again, can you guess which is the genuine one?
Both look same yet only the second link is genuine. The first link converts to “http://xn--gogle-rce.com” which luckily does not exist (for now) and can be used to fool unaware users into believing they are on legit website.
A single punycode character is sufficient enough to make the whole domain be considered as IDN. This eases the difficulty of getting visually similar domain names for the attacker. Actually, the Google example includes only one single character that is not of non-Latin origin and make it considered as a IDN.
Ever tried opening “गूगल.com”? It converts to “xn--31ba5fwc.com” which when opened redirects a couple of times and finally opens random but seemingly legit websites, kind of like web version of adware. When checking it, IndianExpress was the first website that opened but afterwards it was only betting sites. Since normal users entering either “गूगल.com” or “xn--31ba5fwc.com” is not at all practical, it is more likely that the link is somehow spread to unaware users.
Mitigations-
As a defence against this type of links spreading wildly, many social networks and popular websites show the punycode version for IDNs links shared in posts or messages.
Some websites implements a confirmation pop up mentioning the punycode version of the link when an external link is clicked by the user.
Author
Karan Sachdeva
Cyber Security Intern
