It seems more and more common that cybernetic attackers now target the “human factor” to gain entry into companies. This means that they often use phishing as their main attack method. Phishing is a method of deceiving the victim into giving out sensitive information by pretending to be something/someone they are not, and tricking the victim into clicking on an unsafe link. One of the more sophisticated methods of this kind of attack is called “punycode.” It is a specific method from the homograph family of attacks.
What is it, how does it work, and what should you be careful of?
1. What exactly is Punycode?
Punycode is a way to convert strings of characters from Unicode to ASCII and vice versa, most often in the domain name. ASCII is the most commonly used character set in computer science, which is based primarily on the English alphabet. Punycode then allows malicious actors to convert specific characters, which are normally not there, into ASCII. Examples include letters derived from Greek or Hebrew.
This is because Unicode has an incomparably larger number of characters and letters than ASCII. In addition to the variety of languages it contains, it can even write numerous emojis which increase every day across the internet. Although punycode sounds at first like a useful tool for searching on the global internet, it is often misused for cyber-attacks.
2. How does homograph attack work?
As with other homograph attacks, Punycode is used to force the victim to click on a URL link that looks seemingly legitimate, but is in fact a trap. It operates on the apparent similarity of characters not used in ASCII with classic letters. Because of this, an attacker can establish a domain that is almost identical to the official one. If the victim is not careful, it is easy to get confused and believe that the link leads to an official site, like internet banking or social networks.
3. Why is it so hard to detect this kind of fraud?
What does a given URL look like and how come we can so easily confuse it? It can be written, for example, in Cyrillic, i.e., with different characters, which at first glance look very similar to the symbols we use.
Look at these simple examples:
(service -> legit domain -> fake domain)
- Microsoft -> microsoft.com -> mìcrosoft[.]com
- Paypal -> paypal.com -> paypaḷ[.]com
- Coinbase -> coinbase.com -> ćoinbase[.]name
- Blockchain -> blockchain.com -> blóckchäin[.]com
- Twitter -> twitter.com -> twittër[.]com
- Rolex ➡ rołex.com.
4. How can you defend yourself from homograph attacks?
Protection depends primarily on the caution of individual users. Always watch out for e-mails that want you to do something fast. Always check the links carefully to see if there is a slightly different letter in it (see the examples above, i.e., paypaḷ). If you have received an e-mail with a suspicious offer from a company, you should first check their official website to see if there is any information there about a similar offer. The easiest protection is not to click on the link at all, because it is usually fake.
Punycode can also be used to create a fake corporate email. If your management writes to you that he or she wants to send a certain amount of money to some account, carefully look at his email address if there are any flaws to be found. Or just copy it to the address book if it has a match in it. If there is a different but similar letter, the address book will see the difference.
We have an extensive database of malicious domains at Whalebone. That database reveals with precision if that is a secure link or not. And if it’s the latter, then it does not allow the end user to enter the potentially risky page, thus preventing the associated risks.