External Threat Management Labs

The Not-so-puny Problem with Punycode Domain Infringement

In the realm of external threats, domain infringement and phishing currently reign supreme for scale. Domain squatting, which uses similarly spelled domains to target Internet users who incorrectly type a website address into their browser, is a go-to resource for threat actors launching these campaigns or to legitimize links. But while end users slowly come around to the idea of checking the validity of domains they type or click on, a newer twist to the old formula can put even cautious users at risk: Punycode.

Punycode, a system by which ASCII hostnames can represent Unicode characters, was implemented to provide support for non-English languages in the DNS system by providing their native characters. However, like most things, there were unintended consequences when threat actors realized these non-English characters could be exploited in their domain squatting operations to better disguise fraudulent URLs as legitimate ones.

Via Unicode characters that look like certain English letters, these threat actors could register domains that seem completely unique. But once processed, they have a striking similarity to existing brand names. For example, let’s take “gole-w0b41a”. By itself, this phrase seems incomprehensible. However, run as the Punycode hxxp://xn--golew0b41a(.)com/ in a domain name and the result is a bit different, resolving to gou022fu0261le(.)com.

Look familiar?

The following snapshot from a RiskIQ crawl shows the page is indeed impersonating Google, including a link for visitors to "sign in”:

For end-users, this new threat means more headache and uncertainty. Luckily, businesses can take measures to protect their customers by employing solutions that identify Punycode threats.

Take the Fight to Domain Infringement

For domain infringement, RiskIQ searches WHOIS registrations and DNS data to identify third-party owned domains and subdomains containing exact matches or close spelling variants to branded terms. Our proprietary discovery technology automatically maps out all of an organization’s legitimate websites and infrastructure. That information is then used to intelligently distinguish between company-owned domains and infringing domains and subdomains.

RiskIQ transforms any Punycode encountered to Unicode and runs domain similarity classification against it for brand names to match and identify infringement based on what the user would see. If it’s a phishing page, any DOM that we capture will be run through our phish machine-learning models, so obfuscation in the domain is not a barrier. As you can see below, a fake page harvesting credentials would have nowhere to hide:

Any URL can lead to websites hosting phishing pages, scams and counterfeit goods, or malware. And it’s important to understand the domains, subdomains and actual websites that are using branded terms and look-a-like terms that are targeting your organization.

To get started with RiskIQ, sign up for our Community edition today.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor