Today we will talk about a type of phishing almost impossible to detect: the so-called punycode attack or  homograph attack. In these attacks, hackers use URLs  apparently identical to those of legitimate pages (the differences, if any, are not perceptible to the human eye).

To further understand a punycode attack, we will explain the differences between IDNs and DNS:

IDNs or International Domain Names 

DNS or Domain Name Systems

Set of Unicode characters: Unicode characters include accents, symbols and other special characters. More limited set of characters: ASCII characters: 0-9, A-Z and hyphen (-).
Non-Latin alphabets: Greek, Armenian, Cyrillic or Chinese alphabet are some examples. Latin alphabet.

The punycode method was created so that languages with a wider set of characters, could also use the DNS. Punycode is an encryption method that converts Unicode characters used by IDNs into ASCII characters. Why is that?. Because ASCII characters are the only set of characters recognized by DNS. In other words, the punycode method replaces the Unicode characters by ASCII characters.

The problem arises with those characters that are identical or almost identical

For example, the representation of  the Latin character “e” is identical to that of a different Cyrillic character. In other cases, characters are not 100% identical but the differences between them are imperceptible to the human eye.

Hackers, aware of this, take advantage of these “coincidences” and replace the ASCII characters with Unicode characters knowing that the  victim will not realize the deception.

However, the chances of a user mixing Unicode characters with ASCII characters are very low. Therefore, the model followed in typosquatting attacks is not valid in this case. Consequently, in most cases, the vehicle used to deceive the victims are  emails (hence, punycode attacks are considered a type of phishing). The hacker, then, sends emails to users with links where ASCII and Unicode characters have been used. The goal of all this is to redirect victims to malicious sites.

Let´s see an example:

ASCII Characters Unicode Characters waı

In an email with a lot of text, it is no easy to spot that the dot over the i is missing in the second case and we will click on the link, without realizing that we are being redirected to a malicious site.

As a measure of protection or at least alarm, many web browsers use the prefix “xn” to indicate that the domain uses the punycode method to represent Unicode characters, but not all web browsers do so.

Currently, the only solution on the market capable of guaranteeing protection against this type of attack is RITech. Thanks to its isolation capacity, RITech allows users to click on any link and view the content in an isolated mode. Consequently, no link or malicious content can infect users´ devices and, therefore, access the corporate network.

If you want to know in detail this and other benefits of RITech, get in touch with us. A team of professionals will explain you how RITech can help you protect your business.

Follow us on Twitter and LinkedIn to keep up-to-date with the latest news.