Keep your eyes peeled for PUNYCODE attacks! - ERMES Intelligent Web Protection

You have often been warned to mind the links you click. So here is a test: would you click on www.ɑƿƿle.com?

You’d better do not. Indeed, that link will not take you to the bitten apple portal. Instead, it could bring you somewhere else, much riskier for your device security. In the following we explain why, and what you should do to stay safe from Punycode attacks!

DNS and ASCII

The Domain Name System (DNS) is a fundamental pillar of the Internet. It is indeed responsible for converting domains and hostnames we find in web links (i.e., strings) in IP addresses (e.g., 192.168.1.1) which are ultimately used by Internet nodes to transmit and receive our messages. For instance, the IP address associated to www.ermes.company is 52.48.240.30 at the moment of this writing.

The DNS works only with ASCII characters. These consist of the Roman alphabet (upper and lower case), numbers from 0 to 9 and some other special characters as dot (‘.’) and dash (‘-’). The English dictionary can be entirely written using ASCII encoding, but this does not hold for all languages. For instance, Arabic, Chinese, Cyrillic and all the languages that use diacritics or ligatures, such as Italian, French cannot be represented correctly in ASCII characters.

Here comes Punycode, an encoding method that allows to translate non-English dictionaries in ASCII, and, thus, converting special characters in sequences chewable by DNS.

Unfortunately, Punycode is extensively used by malicious actors to design phishing attacks. In this article we’ll explain how, and what users can do to avoid them.

The threat behind the Punycode

The rationale behind Punycode attacks build on a simple observation: some strings are indistinguishable by naked eye, especially when presented in the browser’s address bar or in an email, and similarities between characters belonging different alphabets may be exploited to fool the reader. For example, Roman letters used in modern languages are very similar to characters in Greek, Cyrillic and other alphabets. For instance, offıce.com is hard to distinguish from Microsoft’s Office Suite domain. Same holds for googlẹ.com, which can be easily confused with the popular search engine portal. Under the hood of ASCII encoding, these two strings are translated respectively in xn--offce-p4a.com and xn--googl-r51b.com using the Punycode encoding.

Here is how the attack works: the attacker picks a popular domain, substitutes one or more characters with others similar from a different alphabet, convert the modified domain in Punycode encoding and registers the resulting domain on the the public DNS. The attacker then builds a website very similar to the legitimate one and customized to steal your credentials, distribute malware or fraud advertising platforms. This technique is known as homograph attack.

Homograph attack

Example of Punycode-enconded domain name in Firefox 83.0. “apple” is entirely written using Cyrillic characters and its Punycode encoding is xn--80ak6aa92e.com!

Emoji as well can be encoded using Punycode. In this case the attack can indeed be even more effective since a common user will think that the emoji is not included in the domain name (e.g., ?intesasanpaolo.com).

This deception method is extremely widespread. Attackers use this technique even in this time of pandemic. For instance, a recent attack exploited COVID-19’s dashboard hosted by Federazione Ordini Farmacisti Italiani’s (Italian Chemistry Federation) website. Attackers used this website to spread ransomware. They indeed registered fofl.it, which is very similar to its legitimate counterpart fofi.it (see this article for a complete explanation).

Similarly, in another recent case the attackers have targeted an initiative promoted by the Italian Government, namely “Buono Mobilità”: the malicious website aimed at substituting buonomobilita.it with buonomobilità.it, which was registered in order to hijack traffic and users as explained here.

Targeted devices

This type of attack affects all kinds of devices that can be used to browse the Web. These attacks become even more effective on devices equipped with small screens such as smartphones. In fact, on smaller screen it is even more difficult for human eye to spot “fooling” characters in URLs. Furthermore, it often happens that many apps and browsers hide the navigation bar as soon as the user scrolls the page down to maximize viewport surface. Finally, there is no mouse-over function on touch screens to inspect the destination link as it happens in desktop clients.

How can you not be deceived?

Homograph-based phishing attacks are very effective and if not properly addressed, they may lead to severe danger for users and businesses.

In general, the solutions adopted by clients to mitigate the problem are restricted to show the Punycode-encoded URL in the navigation bar. However, this feature is not always provided and may be not enough to solve the problem.

Mouse over function

Example of mouse-over Punycode-decoding provided by Microsoft Teams.

Here we show some simple tips or best-practices that you can easily put in practice to reduce the risk.

1. Mind your clicks! If you don’t know or trust the source of a link (e.g., email sender, rogue website) the best choice is NOT to click. A lot of malicious websites try to put you in rush with timed offers or promising unbeatable deals. In this case, take your time and visit the original website to check if the offer actually exists.

2. Check if Punycode encoding is used. You can perform this check in three simple ways. First, you can copy and paste the URL in this online Punycode-converter. The service is totally free and allows you to check the presence of differences between the rendered version and the Punycode-encoded one. Second, you can you put your cursor on the link and check whether the link shown in the bottom left corner of the browser or mail client looks different from what shown in the link. Third, if the domain you aim to visit or the corresponding webpage looks weird or different from what you would expect, rewrite the domain in the address bar char by char and hit return. If the webpage is different, you got it!

3. Keep your clients up to date. Protection must be up to date with latest security patches. If your client allows it, enable the option to force the visualization of Punycode-encoded domains in the address bar. For instance, in Firefox you can enable it with network.IDN_show_punycode under about:config (see figure below).

Punycode-decoding in firefox

How to configure Firefox to enable Punycode-decoding in the address bar.

At last, there is a simpler choice to stay protected by Punycode-based homograph attacks and from phishing websites in general: choose Ermes products! By leveraging A.I. we are able to understand whether the domain you aim to visit is fishy and automatically correct it in real time, thus ensuring a 100% safe browsing experience.