|
Title: Punycode and how to protect yourself from Spoofed URLs and fake websites. Post by: wwzsocki on September 13, 2019, 12:23:57 AM UPDATED 4.12.2023
Punycoder - Punycode converter or an IDN converter, a tool for Punycode to Text/Unicode and vice-versa conversion. (#post_update) Punycode - system for converting words that can't be written in ASCII (American Standard Code for Information Interchange), such as in Ancient Greek the phrase ΓNΩΘIΣEAYTON, once converted into ASCII characters, looks like this: xn--mxadglfwep7amk6b. This conversion system allows International Domain Names (IDNs), which include non-ASCII characters, to be displayed using only the Roman letters A to Z, the digits 0 to 9 and the hyphen (-) character. Punycode is useful, because the world-wide Domain Name System (DNS), which turns readable server names into computer-friendly network numbers, can only recognize limited subset of ASCII characters in domain names. Some of the letters in the Roman alphabet are the same shape as letters in the Greek and other alphabets. Examples are the letters I, E, A, Y, T, O, and N. https://talkimg.com/images/2023/11/21/FLUZm.png A malicious site can imitate a legitimate URL and display it which leaves us with very few ways to tell if we are being tricked by an imposter. Attackers who trick people into loading the fake page can easily obtain personal information because the site is an exact copy of original one. Many years ago, the Internet Corporation for Assigned Names and Numbers (ICANN) allowed non-ASCII (Unicode) characters to be included in web domains. It didn't take long for them to realize that this decision was going to cause problems. Certain characters from different languages can be confused for Unicode since they look the same when displayed in a browser. This is used as a tool by cybercriminals to spoof URLs and target unsuspecting victims. https://talkimg.com/images/2023/11/21/FLa3W.png To counteract the issue, ICANN developed Punycode as a way of specifying actual domain registrations by representing Unicode within the limited character subset of ASCII used for internet hostnames. The idea was that browsers would first read the Punycode URL and then transform it into displayable Unicode characters inside the browser. However, just like with Unicode, Punycode could also hide phishing attempts, using characters found in different languages. To combat this, Web browser vendors introduced add-on filters to render URLs as Punycode, instead of Unicode, if they contained characters from different languages. Punycode Problems By default, many web browsers use Punycode encoding to represent Unicode characters in the URL to defend against Homograph phishing attacks (where the website address looks legitimate, but is not, because a character or characters have been replaced deceptively with Unicode characters). For example, the Chinese domain "短.co" is represented in Punycode as "xn--s7y.co" and the German city of "München" becomes in the Punycode "xn--mnchen-3ya" because the letter ü is not available in English. There are quite a few Unicode characters represented in alphabets such as Greek, Cyrillic, and Armenian, which look almost identical to Latin letters at a glance but are treated very differently by computers when resolving the different web addresses. Homograph attacks - extremely difficult to detect based on their deployment method. Some of these steps will also protect you from other types of online attacks as well. Example of Punycode Phishing (Homograph) attack: The most tricky phising website i've heard was this one. Looks like Binance.com but there are no "n". This is strange n with dot at the bottom. https://talkimg.com/images/2023/11/21/FLXBJ.png source (https://steemit.com/binance/@sriz/binance-phishing-alert) How to deal with such a phishing address? Those dots are almost unnoticeable. Another great example of Punycode Homograph Phishing attack. This time Poloniex exchange is targeted. Just look at how similar it looks compared to the original page. https://talkimg.com/images/2023/11/21/FLudC.png Difference between original page and malicious one is that the hacker misspelled the phrase "Sign in" as "Sing in" a couple of times. also different in this attack is that the SSL certificate is shown as valid: https://talkimg.com/images/2023/11/21/FLwzb.png Not all browsers are vulnerable Of all the browsers tested, three rendered the page using Unicode characters, as appӏe.com. These are Chrome, Firefox, and Opera. https://talkimg.com/images/2023/11/21/FLAhv.png Other browsers, such as Edge, Internet Explorer, Safari, Vivaldi, and Brave, did not render the page using Unicode characters and displayed the Punycode URL. There's a filter that checks if the Punycode URL is in the same character set as the user's default OS settings. https://talkimg.com/images/2023/11/21/FLHlH.png Google has already fixed this issue in Chrome Stable 58. Preventing Homograph Phishing Attacks in Firefox Firefox users can complete the following steps to manually apply temporary protection against Punycode Phishing (Homograph) attacks:
Suspected Facebook phishing website, another Punycode Homograph Phishing attack. https://talkimg.com/images/2023/11/21/FLZmg.png This time is much easier to see that something is wrong with these Facebook pages, even for an untrained eye, because both of the SSL certificates are bad and displayed in red. https://talkimg.com/images/2023/11/21/FLnVI.png I hope that all these examples will help to identify Punycode phishing attacks. One has to check everything three times to be safe online today, there are no shortcuts. This is very scary and I already have been on such malicious websites, only thanks to my password manager and other tools I was able to identify them soon enough but to be honest nobody is safe. I see hackers getting better and more greedy every day. Look at the list I gathered, with already known Punycode websites, for sure this is only a small percentage of what exists already. We have to imagine that every day hundreds of new phishing websites are created and we have to do all what possible to protect ourselves. ...Check the 7 Ways to avoid a Punycode attack
Punycode Domain Detection (https://chrome.google.com/webstore/detail/punycode-domain-detection/fkenopinnpinfcjneoanjoimhkmdcjne) - developed by Phish.ai and released as Google Chrome extension that can detect when users are accessing domains spelled using non-standard Unicode characters and warn about the potential of a homograph attack. https://talkimg.com/images/2023/11/21/FLCDd.png Punycoder (https://www.punycoder.com/) - Punycode converter or an IDN converter, tool for Punycode to Text/Unicode and vice-versa conversion. Service called Gluee (https://www.gluee.com/tools/) with multiple tools for webmasters and developers. https://talkimg.com/images/2023/11/21/FLGZ5.png https://www.gluee.com/tools/ First one called Punycoder (https://www.punycoder.com/) is a tool that converts text with special characters (UNICODE) to the Punycode encoding (just ASCII) and vice versa. This is tool to check all suspicious Phishing Punycode URLs. Just copy and paste the needed link. https://talkimg.com/images/2023/11/21/FLMkz.png https://www.punycoder.com/ DON'T USE ANY OF THESE LINKS - MALICIOUS WEBSITES!!! List of already known Punycode Phishing URLs: ns1.xn--aobe-l6b.com. --> ns1.aɗobe.com. ns2.xn--aobe-l6b.com. --> ns2.aɗobe.com. mail.xn--adoe-x34a.com. --> mail.adoḅe.com. xn--adob-yva.com. --> adobė.com. xn--adoe-x34a.com. --> adoḅe.com. xn--aobe-qua.com. --> aďobe.com. xn--dobe-p5b.com. --> ɑdobe.com. APPLE mail.xn--pple-zna.com. --> mail.?pple.com. ns1.xn--appl-ou5a.com. --> ns1.applẹ.com. ns2.xn--appl-ou5a.com. --> ns2.applẹ.com. www.xn--le-m1aa24e.com. --> www.ɑƿƿle.com. www.xn--pple-9na.cf. --> www.âpple.cf. www.xn--ppl-hla7b.cf. --> www.âppl?.cf. xn--ppl-hla7b.cf. --> âppl?.cf. www.xn--app-mra30o.com. --> www.appɩė.com. xn--aple-csa.com. --> ap?le.com. xn--appl-8va.com. --> applę.com. xn--appl-yva.com. --> applė.com. www.xn--le-m1aa24e.com. --> www.ɑƿƿle.com. AMAZON www.xn--amazo-7l1b.com. --> www.amazoṇ.com. www.xn--amazo-vl1b.com. --> www.amazoṅ.com. www.xn--amzon-ucc.com. --> www.amȧzon.com. www.xn--mazon-2qa.de. --> www.âmazon.de. www.xn--mazon-2qa.eu. --> www.âmazon.eu. www.xn--mazon-wqa.com. --> www.ámazon.com. www.xn--mzn-plab3i.com. --> www.ämäzön.com. xn--amaon-6y1b.com. --> amaẓon.com. xn--amaon-7hb.com. --> amaźon.com. xn--amazo-sta.com. --> amazo?.com. xn--amazo-vl1b.com. --> amazoṅ.com. xn--amzon-sqa.com. --> am?zon.com. xn--amzon-ucc.com. --> amȧzon.com. BANK OF AMERICA www.xn--bakofamerica-qfc.com. --> www.baŋkofamerica.com. mail.xn--bnkofmeric-q5aef.com. --> mail.bänkofämericä.com. secure.xn--bakofamerica-qfc.com. --> secure.baŋkofamerica.com. www.xn--ankofamerica-70c.com. --> www.ƅankofamerica.com. www.xn--bakofamerica-qfc.com. --> www.baŋkofamerica.com. www.xn--banofamerica-p7b.com. --> www.banĸofamerica.com. www.xn--bnkofamerica-pob.com. --> www.bąnkofamerica.com. www.xn--bnkofmeric-ggeef.com. --> www.bɑnkofɑmericɑ.com. www.xn--bnkofmeric-q5aef.com. --> www.bänkofämericä.com. xn--ankofamerica-70c.com. --> ƅankofamerica.com. xn--bakofamerica-qfc.com. --> baŋkofamerica.com. xn--banofamerica-p7b.com. --> banĸofamerica.com. xn--bnkofamerica-pob.com. --> bąnkofamerica.com. xn--bnkofmeric-ggeef.com. --> bɑnkofɑmericɑ.com. xn--bnkofmeric-q5aef.com. --> bänkofämericä.com. BITTREX xn--bitrex-rkb.com. --> bitţrex.com. xn--bittex-zx7b.com. --> bittṛex.com. xn--bittrx-7ua.com. --> bittr?x.com. www.xn--bitrex-rkb.com. --> www.bitţrex.com. www.xn--bittrx-7ua.com. --> www.bittr?x.com. xn--ittrex-hrb.com. --> ƅittrex.com. www.xn--ittrex-hrb.com. --> www.ƅittrex.com. xn--bttx-vpa4unq.com --> bíttŕēx.com CISCO xn--csco-lza.com. --> cısco.com. xn--csco-qpa.com. --> c?sco.com. xn--csco-vpa.com. --> císco.com. xn--n1afa3fe.net. --> cisco.net. COINBASE xn--cinbase-10a.com. --> c?inbase.com. xn--cinbase-90a.com. --> cöinbase.com. xn--cinbase-d0a.com. --> c?inbase.com. xn--cinbase-t0a.com. --> côinbase.com. xn--coibase-6za.com. --> coi?base.com. xn--coibase-r13c.com. --> coiṇbase.com. xn--coinbae-fqb.com. --> coinbaşe.com. xn--coinbas-8xa.com. --> coinbas?.com. xn--coinbas-pya.com. --> coinbas?.com. xn--coinbas-z8a.com. --> coinbasė.com. xn--coinbse-9wa.com. --> coinbäse.com. xn--coinbse-lwa.com. --> coinbáse.com. xn--conbase-0ya.com. --> co?nbase.com. xn--conbase-feb.com. --> coīnbase.com. xn--conbase-hza.com. --> coînbase.com. xn--conbase-pza.com. --> co?nbase.com. xn--conbase-sfb.com. --> coınbase.com. xn--oinbase-l5a.com. --> ĉoinbase.com. xn--oinbase-txa.com. --> çoinbase.com. CREDIT SUISSE xn--crditsuisse-cbb.at. --> créditsuisse.at. xn--crditsuisse-cbb.ch. --> créditsuisse.ch. xn--crditsuisse-cbb.com. --> créditsuisse.com. xn--crditsuisse-cbb.de. --> créditsuisse.de. xn--crditsuisse-cbb.dk. --> créditsuisse.dk. xn--crditsuisse-cbb.eu. --> créditsuisse.eu. xn--crditsuisse-cbb.net. --> créditsuisse.net. xn--crdit-suisse-ceb.at. --> crédit-suisse.at. xn--crdit-suisse-ceb.ch. --> crédit-suisse.ch. xn--crdit-suisse-ceb.com. --> crédit-suisse.com. xn--crdit-suisse-ceb.de. --> crédit-suisse.de. xn--crdit-suisse-ceb.dk. --> crédit-suisse.dk. xn--crdit-suisse-ceb.net. --> crédit-suisse.net. xn--credit-sisse-klb.com. --> credit-süisse.com. EBAY xn--bay-ema.com. --> ?bay.com. xn--eby-fla.com. --> ebáy.com. xn--eby-bla.com. --> eb?y.com. xn--eby-hsb.com. --> ebɑy.com. xn--eby-jla.com. --> ebây.com. xn--80aj7b8a.com. --> eьay.com. www.xn--acebook-js3c.com. --> www.ḟacebook.com. www.xn--acebook-w1b.net. --> www.?acebook.net. www.xn--aceook-dg7b2i.com. --> www.ḟaceḃook.com. xn--acebook-js3c.com. --> ḟacebook.com. xn--aceook-dg7b2i.com. --> ḟaceḃook.com. xn--faboo-5xa8ftm.eu. --> faċėbooķ.eu. xn--fabook-qva9w.eu. --> faċëbook.eu. xn--facboo-k4a3x.eu. --> facėbooķ.eu. xn--facbook-4xa.com. --> fac?book.com. xn--facbook-lya.fr. --> fac?book.fr. xn--facbook-v8a.eu. --> facėbook.eu. xn--facebok-50a.fr. --> faceb?ok.fr. xn--facebok-60a.tk. --> facebo?k.tk. xn--facebok-h0a.eu. --> faceb?ok.eu. xn--facebok-x0a.fr. --> facebôok.fr. xn--faceboo-jhb.com. --> facebooĸ.com. xn--faceboo-jhb.net. --> facebooĸ.net. xn--faceook-pm3c.com. --> faceḅook.com. xn--faebok-xua7j.fr. --> façeboök.fr. xn--faebook-35a.com. --> faċebook.com. xn--fcbook-w0a9l.eu. --> fącėbook.eu. xn--fcebook-8va.com. --> f?cebook.com. xn--fceboo-w0a91b.eu. --> fącebooķ.eu. www.xn--fabook-41a0h.eu. --> www.faċėbook.eu. www.xn--fabook-xua89a.eu. --> www.façėbook.eu. www.xn--facebok-60a.tk. --> www.facebo?k.tk. www.xn--facebok-e1a.com. --> www.faceböok.com. www.xn--facebok-h0a.fr. --> www.faceb?ok.fr. www.xn--facebok-i0a.eu. --> www.facebo?k.eu. www.xn--faceok-sg7bq0e.com. --> www.faceḅọok.com. www.xn--faceook-1yb.com. --> www.faceƅook.com. www.xn--faebook-35a.com. --> www.faċebook.com. www.xn--faebook-64a.eu. --> www.faćebook.eu. www.xn--fcebook-s3a.tk. --> www.fācebook.tk. m.xn--80akppap2f62a.com. --> m.ғaceьooк.com. xn--80akppap2f62a.com. --> ғaceьooк.com. www.xn--oole-9pb06e.com. --> www.ǥooɡle.com. ww25.xn--gogle-uob.com. --> ww25.gơogle.com. xn--ggle-lqaa.com. --> g??gle.com. xn--gogl-1nd42e.com. --> google.com. xn--gogle-7ta.com. --> goôgle.com. xn--gogle-jua.com. --> göogle.com. xn--gogle-kua.com. --> goögle.com. xn--gogle-uta.com. --> g?ogle.com. xn--gogle-vob.com. --> goơgle.com. xn--googl-n0a.com. --> googlę.com. xn--oogl-epa71n.com. --> ǵooglé.com. xn--oogle-v1a.xyz. --> ġoogle.xyz. xn--oole-9pb06e.com. --> ǥooɡle.com. www.xn--ggl-8la1ca.com. --> www.g??gl?.com. www.xn--ggle-lqaa.com. --> www.g??gle.com. www.xn--gogle-uta.com. --> www.g?ogle.com. www.xn--googl-n0a.com. --> www.googlę.com. KRAKEN xn--80afhrc5a.com. --> кгaкeп.com. xn--krken-nra.com. --> kr?ken.com. xn--raken-gnb.com. --> ƙraken.com. xn--raken-n5a.com. --> ķraken.com. MICROSOFT ww8.xn--mcrosoft-tkb.com. --> ww8.mıcrosoft.com. www.xn--mcrosoft-c2a.es. --> www.mícrosoft.es. windows.xn--mcrosoft-c2a.com. --> windows.mícrosoft.com. ww8.xn--mcrosoft-tkb.com. --> ww8.mıcrosoft.com. www.xn--icrosoft-g89c.com. --> www.ṃicrosoft.com. www.xn--mcosoft-rfb211a.com. --> www.mıcɾosoft.com. www.xn--mcrosof-7ya00i.com. --> www.mícrosofť.com. www.xn--mcrosoft-21a.ch. --> www.m?crosoft.ch. www.xn--mcrosoft-21a.com. --> www.m?crosoft.com. www.xn--mcrosoft-21a.eu. --> www.m?crosoft.eu. www.xn--mcrosoft-21a.fr. --> www.m?crosoft.fr. www.xn--mcrosoft-9ib.com. --> www.mīcrosoft.com. www.xn--mcrosoft-c2a.com. --> www.mícrosoft.com. www.xn--mcrosoft-c2a.de. --> www.mícrosoft.de. www.xn--mcrosoft-c2a.es. --> www.mícrosoft.es. www.xn--mcrosoft-c2a.eu. --> www.mícrosoft.eu. www.xn--mcrosoft-g80d.com. --> www.mịcrosoft.com. www.xn--mcrosoft-l2a.com. --> www.mîcrosoft.com. www.xn--mcrosoft-tkb.com. --> www.mıcrosoft.com. www.xn--mcrosoft-tkb.de. --> www.mıcrosoft.de. www.xn--mcrosoft-u2a.com. --> www.m?crosoft.com. www.xn--microsft-03a.com. --> www.microsóft.com. www.xn--microsft-9fd.com. --> www.microsȯft.com. www.xn--microsot-ez9c.com. --> www.microsoḟt.com. www.xn--microsot-x9b.com. --> www.microso?t.com. www.xn--micrsoft-y3a.com. --> www.micrósoft.com. xn--icrosoft-g89c.com. --> ṃicrosoft.com. xn--mcosoft-rfb211a.com. --> mıcɾosoft.com. xn--mcrosof-7ya00i.com. --> mícrosofť.com. xn--mcrosoft-21a.ch. --> m?crosoft.ch. xn--mcrosoft-21a.com. --> m?crosoft.com. xn--mcrosoft-21a.eu. --> m?crosoft.eu. xn--mcrosoft-21a.fr. --> m?crosoft.fr. xn--mcrosoft-9ib.com. --> mīcrosoft.com. xn--mcrosoft-c2a.com. --> mícrosoft.com. xn--mcrosoft-c2a.de. --> mícrosoft.de. xn--mcrosoft-c2a.es. --> mícrosoft.es. xn--mcrosoft-g80d.com. --> mịcrosoft.com. xn--mcrosoft-l2a.com. --> mîcrosoft.com. xn--mcrosoft-tkb.com. --> mıcrosoft.com. xn--mcrosoft-tkb.de. --> mıcrosoft.de. xn--mcrosoft-u2a.com. --> m?crosoft.com. xn--micosoft-i0d.com. --> micɾosoft.com. xn--microoft-l9c.com. --> microșoft.com. xn--microsft-03a.com. --> microsóft.com. xn--microsft-9fd.com. --> microsȯft.com. xn--microsof-eyb.com. --> microsofť.com. xn--microsof-hk0d.com. --> microsofṭ.com. xn--microsot-ez9c.com. --> microsoḟt.com. xn--microsot-x9b.com. --> microso?t.com. xn--micrsoft-y3a.com. --> micrósoft.com. NETFLIX xn--etflix-vwa.com. --> ?etflix.com. www.xn--netflx-0va.com. --> www.netfl?x.com. ns1.xn--ntflix-iva.com. --> ns1.n?tflix.com. ns2.xn--ntflix-iva.com. --> ns2.n?tflix.com. ww1.xn--etflix-vwa.com. --> ww1.?etflix.com. ww35.xn--etflix-vwa.com. --> ww35.?etflix.com. ww8.xn--etflix-vwa.com. --> ww8.?etflix.com. www.xn--etflix-vwa.com. --> www.?etflix.com. www.xn--netflx-0va.com. --> www.netfl?x.com. www.xn--netflx-7va.com. --> www.netflíx.com. www.xn--netflx-7va.eu. --> www.netflíx.eu. www.xn--netflx-f9a.com. --> www.netflįx.com. www.xn--netflx-mwa.com. --> www.netfl?x.com. www.xn--netflx-t9a.com. --> www.netflıx.com. www.xn--netlix-5tb.com. --> www.net?lix.com. www.xn--ntflix-bva.com. --> www.nétflix.com. www.xn--ntflix-i4a.com. --> www.nėtflix.com. www.xn--ntflix-iva.com. --> www.n?tflix.com. xn--etflix-vwa.com. --> ?etflix.com. xn--netflx-0va.com. --> netfl?x.com. xn--netflx-7va.com. --> netflíx.com. xn--netflx-7va.eu. --> netflíx.eu. xn--netflx-f9a.com. --> netflįx.com. xn--netflx-mwa.com. --> netfl?x.com. xn--netflx-t9a.com. --> netflıx.com. xn--netlix-5tb.com. --> net?lix.com. xn--ntflix-bva.com. --> nétflix.com. xn--ntflix-i4a.com. --> nėtflix.com. xn--ntflix-iva.com. --> n?tflix.com. NEW YORK TIMES xn--nytmes-5va.com. --> nytímes.com. xn--nytmes-dwa.com. --> nytîmes.com. xn--nytmes-yk8b.com. --> nytỉmes.com. xn--nytmes-yva.com. --> nyt?mes.com. xn--ytimes-vwa.com. --> ?ytimes.com. POLONIEX xn--polonex-3ya.com. --> polon?ex.com. xn--oloiex-yt7b2e.com. --> ṗoloṇiex.com. xn--oloniex-c53c.com. --> ṗoloniex.com. xn--plonex-6va6c.com. --> pôloníex.com. xn--ploniex-l0a.com. --> póloniex.com. xn--polniex-ex4c.com. --> polọniex.com. xn--polniex-n0a.com. --> polóniex.com. xn--poloiex-s13c.com. --> poloṇiex.com. xn--polonex-cza.com. --> poloníex.com. xn--polonex-ffb.com. --> polonįex.com. xn--polonex-ieb.com. --> polonīex.com. xn--polonex-kza.com. --> polonîex.com. xn--polonex-sza.com. --> polon?ex.com. xn--polonex-vfb.com. --> polonıex.com. xn--polonex-zw4c.com. --> polonịex.com. xn--polonix-ws4c.com. --> poloniẹx.com. xn--polonix-y8a.com. --> poloniėx.com. xn--pooniex-ojb.com. --> połoniex.com. www.xn--twittr-7ua.tv. --> www.twitt?r.tv. www.xn--twittr-mva.tv. --> www.twitt?r.tv. www.xn--twittr-tva.net. --> www.twittër.net. www.xn--twtter-4va.net. --> www.twítter.net. xn--twtter-cwa.com. --> twîtter.com. xn--twtter-q9a.net. --> twıtter.net. xn--twttr-7raz.com. --> tw?tt?r.com. xn--e1azaa2a9b5b.com. --> тшiттeя.com. WALMART xn--wlmart-ita.com. --> w?lmart.com. xn--walmrt-lta.com. --> walm?rt.com. xn--wlmart-bua.com. --> wälmart.com. xn--wlmart-ita.com. --> w?lmart.com. xn--wlmart-pta.com. --> wálmart.com. WELLSFARGO xn--wellsfarg-3mc.com. --> wellsfargơ.com. xn--wellsfarg-e7a.com. --> wellsfargó.com. xn--wellsfarg-tl7d.com. --> wellsfargọ.com. xn--wellsfrgo-51a.com. --> wellsfárgo.com. YAHOO news.xn--yah-inaa.es. --> news.yahóó.es. news.xn--yaho-7qa.biz. --> news.yahöo.biz. news.xn--yaho-7qa.info. --> news.yahöo.info. news.xn--yaho-8qa.biz. --> news.yahoö.biz. news.xn--yaho-nqa.com. --> news.yah?o.com. news.xn--yaho-sqa.es. --> news.yahóo.es. news.xn--yaho-tqa.es. --> news.yahoó.es. news.xn--yaho-tqa.org. --> news.yahoó.org. news.xn--yah-unaa.biz. --> news.yahöö.biz. news.xn--yah-unaa.info. --> news.yahöö.info. test.xn--yaho-7qa.biz. --> test.yahöo.biz. test.xn--yaho-7qa.de. --> test.yahöo.de. test.xn--yaho-8qa.biz. --> test.yahoö.biz. test.xn--yaho-8qa.info. --> test.yahoö.info. test.xn--yaho-sqa.org. --> test.yahóo.org. test.xn--yaho-tqa.com. --> test.yahoó.com. test.xn--yaho-tqa.es. --> test.yahoó.es. test.xn--yaho-tqa.org. --> test.yahoó.org. test.xn--yaho-yqa.com. --> test.yahoô.com. test.xn--yah-unaa.info. --> test.yahöö.info. wp.xn--yah-inaa.org. --> wp.yahóó.org. wp.xn--yaho-7qa.biz. --> wp.yahöo.biz. wp.xn--yaho-7qa.de. --> wp.yahöo.de. wp.xn--yaho-8qa.biz. --> wp.yahoö.biz. wp.xn--yaho-8qa.de. --> wp.yahoö.de. wp.xn--yaho-8qa.info. --> wp.yahoö.info. wp.xn--yaho-nqa.com. --> wp.yah?o.com. wp.xn--yaho-tqa.org. --> wp.yahoó.org. wp.xn--yaho-yqa.com. --> wp.yahoô.com. ww8.xn--yaho-yqa.com. --> ww8.yahoô.com. www.xn--yah-inaa.es. --> www.yahóó.es. www.xn--yah-inaa.org. --> www.yahóó.org. www.xn--yaho-7qa.biz. --> www.yahöo.biz. www.xn--yaho-7qa.de. --> www.yahöo.de. www.xn--yaho-7qa.info. --> www.yahöo.info. www.xn--yaho-8qa.biz. --> www.yahoö.biz. www.xn--yaho-8qa.info. --> www.yahoö.info. www.xn--yaho-nqa.com. --> www.yah?o.com. www.xn--yaho-ogb.com. --> www.yahoơ.com. www.xn--yaho-tqa.com. --> www.yahoó.com. www.xn--yaho-tqa.es. --> www.yahoó.es. www.xn--yaho-x0b.com. --> www.yahȯo.com. www.xn--yah-unaa.biz. --> www.yahöö.biz. www.xn--yah-unaa.info. --> www.yahöö.info. www.xn--yaoo-674a.com. --> www.yaḣoo.com. www.xn--yaoo-6xa.com. --> www.yaħoo.com. xn--ahoo-4ra.com. --> ýahoo.com. xn--yah-inaa.es. --> yahóó.es. xn--yaho-7qa.biz. --> yahöo.biz. xn--yaho-7qa.info. --> yahöo.info. xn--yaho-8qa.info. --> yahoö.info. xn--yaho-nqa.com. --> yah?o.com. xn--yaho-ogb.com. --> yahoơ.com. xn--yaho-sqa.org. --> yahóo.org. xn--yaho-tqa.es. --> yahoó.es. xn--yaho-tqa.org. --> yahoó.org. xn--yaho-x0b.com. --> yahȯo.com. xn--yaho-yqa.com. --> yahoô.com. xn--yah-unaa.biz. --> yahöö.biz. xn--yah-unaa.info. --> yahöö.info. xn--yhoo-0na.com. --> y?hoo.com. xn--yhoo-loa.info. --> yähoo.info. xn--yho-qla5g.info. --> yähöo.info. xn--yho-qla6g.info. --> yähoö.info. WIKIPEDIA xn--wiipedia-nmb.com. --> wiĸipedia.com. xn--wikipdia-50a.cat. --> wikip?dia.cat. xn--wikipdia-f1a.com. --> wikipédia.com. xn--wikipdia-f1a.net. --> wikipédia.net. xn--wikipdia-f1a.org. --> wikipédia.org. xn--wikipeda-81a.com. --> wikiped?a.com. xn--wikipeda-i2a.org. --> wikipedía.org. xn--wikpedia-e2a.org. --> wikípedia.org. xn--wkipeda-rfbf.com. --> wıkipedıa.com. xn--wkipedia-c2a.org. --> wíkipedia.org. xn--wkipedia-u2a.com. --> w?kipedia.com. xn--wkpedia-7yab.org. --> wíkípedia.org. xn--wkpedia-rfbb.com. --> wıkıpedia.com. xn--wkpedia-zyab.com. --> w?k?pedia.com. YANDEX www.xn--yande-vx1b.com. --> www.yandeẋ.com. www.xn--yanex-vb1b.com. --> www.yanḋex.com. www.xn--yndex-0jc.com. --> www.yɑndex.com. xn--yande-uze.ru.ru. --> yandex.ru.ru. xn--yndex-3wa.com. --> yąndex.com. YOUTUBE xn--yotube-jnb.com. --> yoűtube.com. xn--youtub-nva.com. --> youtub?.com. xn--youtue-7g7b.com. --> youtuḇe.com. ww11.xn--yotube-jya.com. --> ww11.yo?tube.com. ww43.xn--yotube-4ya.com. --> ww43.yoütube.com. www.xn--yotube-4ya.com. --> www.yoütube.com. www.xn--youtue-7g7b.com. --> www.youtuḇe.com. www.xn--youube-kmc.com. --> www.youțube.com. xn--outube-9ya.com. --> ýoutube.com. www.xn--outube-9s8b.com. --> www.ỳoutube.com. www.xn--outube-9ya.de. --> www.ýoutube.de. MISC: LUXURY BRANDS www.xn--gucc-tpa.com. --> www.gucc?.com. xn--gucc-tpa.com. --> gucc?.com. xn--herms-7ra.com. --> herm?s.com. www.xn--herms-7ra.fr. --> www.herm?s.fr. www.xn--lousvuitton-qcb.com. --> www.louísvuitton.com. MISC: SOCIAL PLATFORMS xn--nstagram-11a.com. --> ?nstagram.com. xn--nstagram-skb.com. --> ınstagram.com. www.xn--nstagram-skb.com. --> www.ınstagram.com. xn--istagram-7pb.com. --> iņstagram.com. www.xn--imgu-t4a.com. --> www.imguŕ.com. xn--imgr-sra.com. --> imgúr.com. xn--whatspp-lwa.com. &n article used as a source for information: https://www.bleepingcomputer.com/news/security/chrome-extension-detects-url-homograph-unicode-attacks/ Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: tranthidung on September 13, 2019, 01:57:09 AM You actually spent significant amount of time to make the thread, that gives some information I did not know.
Despite there are some powerful built-in features from Browsers like Firefox to protect users when they modify some options, I think you should leave an important warning for all crypto enthusiasts. "Always keep your computer screen as clean as possible" Because it will help you to see strange dot (.) or anything else like that. One does not clean their computer screen, by hands or by special cleaning solvent spray might be more easily to fall in to traps of Punny codes. They will don't realize strange 'minor' things on computer screen, between 'punny' dots and real dust. Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: Henri Cartier on September 13, 2019, 08:09:10 AM Nice and informative article @wwzsocki. I found an article where it says how to avoid Punycode attacks and also who all are affected by that. I would like to include that here. Some of the examples of Punycode attacks with big brands -
https://i.imgur.com/Emt1cPM.png Check the 7 Ways to avoid a Punycode attack -
Source: Punycode attacks - the fake domains that are impossible to detect (https://www.wandera.com/mobile-security/phishing/punycode-attacks/#example) Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: Pmalek on September 13, 2019, 08:39:15 AM So if I understood it correctly every browser displayed a warning that the site might be a fake one. But Chrome, Firefox and Opera actually displayed the fake apple.com site in their address bar?
I assume changing the punnycode settings would be enough for the real address to be displayed by Firefox, that just leaves Chrome and Opera showing the fake apple.com site in the address bar. Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on September 13, 2019, 08:59:33 AM So if I understood it correctly every browser displayed a warning that the site might be a fake one. But Chrome, Firefox and Opera actually displayed the fake apple.com site in their address bar? Yes, you are correct and these browsers are still vulnerable. This is clear to see on the post I quoted above in OP with the fake Binance web page. I will try to find additional information about these vulnerable browsers and maybe provide a solution if there is any and I will be able to find them. I assume changing the punnycode settings would be enough for the real address to be displayed by Firefox... Exactly is enough to adjust the settings in FF: Quote
...that just leaves Chrome and Opera showing the fake apple.com site in the address bar. Google has already fixed this issue in Chrome Canary 59, and a permanent fix is from Chrome Stable 58. As I said already I will do a research today and try to find solutions for vulnerable browsers and publish here in the thread. Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: tranthidung on September 13, 2019, 09:00:35 AM So if I understood it correctly every browser displayed a warning that the site might be a fake one. But Chrome, Firefox and Opera actually displayed the fake apple.com site in their address bar? It does not right, because browsers only show Warning if there are people reported those fake sites to them, and their team verified those reports and took actions.I assume changing the punnycode settings would be enough for the real address to be displayed by Firefox, that just leaves Chrome and Opera showing the fake apple.com site in the address bar. In general, people have to secure their devices and their accounts by themselves by being as careful as possible. Relying on supports from browers and community's reports are too late to protect them from threats, and attackers might steal their money in minutes. Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: DdmrDdmr on September 13, 2019, 09:14:37 AM I activated the Punycode config change on Firefox mentioned in the OP some months ago, and have seen it at work once in my day to day when it displayed a weird looking url that was impersonating another one. I’m pretty vigilant on what I do, but even so, stuff like this can slip under the radar if one is not extremely careful. Strange that Firefox requires a manual override; most people will not perform it due to lack of awareness.
I tried to see if I could locate some stats on punycode being used on phishing sites, bute the closest I managed to retrieve is this (see https://www.infosecurity-magazine.com/news/fake-homograph-domains-iincrease/): Quote Its research around IDN lookalike domain names (also called Homographs) over a 12-month period focused on 466 top global brands across 11 vertical sectors. From this, it found 8000 IDN Homographs representing or containing a top global brand name, and 91% offering some sort of webpage and “clear violations of the ICANN Guidelines for the Implementation of Internationalized Domain Names.” Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: Baofeng on September 13, 2019, 09:16:44 AM Another example of puny code attack here, Another fake website of trezor.io with Punycode[Beware][Updated with fake sites] (https://bitcointalk.org/index.php?topic=5152979.0).
Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: Pmalek on September 14, 2019, 07:25:53 AM Strange that Firefox requires a manual override; most people will not perform it due to lack of awareness. You are right, it really is strange. Why would the value be set on False by default if this is a well known security issue?Does anyone know if there are any advantages of keeping this option on False that would cause Firefox not to set it at True by default? Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: o_e_l_e_o on September 14, 2019, 03:20:14 PM Why would the value be set on False by default if this is a well known security issue? Because Firefox serves a global audience, and not everyone speaks English. There are plenty of sites out there in various languages which use characters such as é, ö, ß, ü and so forth. To change all those sites to something like xn--abc123de would not only put those users at risk of attack (compare xn--abc123de and xn--abc123be, for example) but would also be massively impractical for anyone who uses these characters.Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on September 15, 2019, 06:41:33 PM I tried to see if I could locate some stats on punycode being used on phishing sites, bute the closest I managed to retrieve is this (see https://www.infosecurity-magazine.com/news/fake-homograph-domains-iincrease/): In this article, I found a link to a very detailed report from Farsight Security about Punycode threat: https://www.farsightsecurity.com/txt-record/2018/01/17/mschiffm-touched_by_an_idn/ There is a lot of info with examples of phishing sites like: Poloniex, Facebook, Kraken, Bittrex, Coinbase and more, even with working SSL certificates. DON'T USE ANY OF THESE LINKS - MALICIOUS WEBPAGES!!! Quote Appendix B: Suspicious IDNs The following are a subset of the IDNs we observed. ns1.xn--aobe-l6b.com. --> ns1.aɗobe.com. ns2.xn--aobe-l6b.com. --> ns2.aɗobe.com. mail.xn--adoe-x34a.com. --> mail.adoḅe.com. xn--adob-yva.com. --> adobė.com. xn--adoe-x34a.com. --> adoḅe.com. xn--aobe-qua.com. --> aďobe.com. xn--dobe-p5b.com. --> ɑdobe.com. APPLE mail.xn--pple-zna.com. --> mail.àpple.com. ns1.xn--appl-ou5a.com. --> ns1.applẹ.com. ns2.xn--appl-ou5a.com. --> ns2.applẹ.com. www.xn--le-m1aa24e.com. --> www.ɑƿƿle.com. www.xn--pple-9na.cf. --> www.âpple.cf. www.xn--ppl-hla7b.cf. --> www.âpplê.cf. xn--ppl-hla7b.cf. --> âpplê.cf. www.xn--app-mra30o.com. --> www.appɩė.com. xn--aple-csa.com. --> apþle.com. xn--appl-8va.com. --> applę.com. xn--appl-yva.com. --> applė.com. www.xn--le-m1aa24e.com. --> www.ɑƿƿle.com. AMAZON www.xn--amazo-7l1b.com. --> www.amazoṇ.com. www.xn--amazo-vl1b.com. --> www.amazoṅ.com. www.xn--amzon-ucc.com. --> www.amȧzon.com. www.xn--mazon-2qa.de. --> www.âmazon.de. www.xn--mazon-2qa.eu. --> www.âmazon.eu. www.xn--mazon-wqa.com. --> www.ámazon.com. www.xn--mzn-plab3i.com. --> www.ämäzön.com. xn--amaon-6y1b.com. --> amaẓon.com. xn--amaon-7hb.com. --> amaźon.com. xn--amazo-sta.com. --> amazoñ.com. xn--amazo-vl1b.com. --> amazoṅ.com. xn--amzon-sqa.com. --> amàzon.com. xn--amzon-ucc.com. --> amȧzon.com. BANK OF AMERICA www.xn--bakofamerica-qfc.com. --> www.baŋkofamerica.com. mail.xn--bnkofmeric-q5aef.com. --> mail.bänkofämericä.com. secure.xn--bakofamerica-qfc.com. --> secure.baŋkofamerica.com. www.xn--ankofamerica-70c.com. --> www.ƅankofamerica.com. www.xn--bakofamerica-qfc.com. --> www.baŋkofamerica.com. www.xn--banofamerica-p7b.com. --> www.banĸofamerica.com. www.xn--bnkofamerica-pob.com. --> www.bąnkofamerica.com. www.xn--bnkofmeric-ggeef.com. --> www.bɑnkofɑmericɑ.com. www.xn--bnkofmeric-q5aef.com. --> www.bänkofämericä.com. xn--ankofamerica-70c.com. --> ƅankofamerica.com. xn--bakofamerica-qfc.com. --> baŋkofamerica.com. xn--banofamerica-p7b.com. --> banĸofamerica.com. xn--bnkofamerica-pob.com. --> bąnkofamerica.com. xn--bnkofmeric-ggeef.com. --> bɑnkofɑmericɑ.com. xn--bnkofmeric-q5aef.com. --> bänkofämericä.com. BITTREX xn--bitrex-rkb.com. --> bitţrex.com. xn--bittex-zx7b.com. --> bittṛex.com. xn--bittrx-7ua.com. --> bittrèx.com. www.xn--bitrex-rkb.com. --> www.bitţrex.com. www.xn--bittrx-7ua.com. --> www.bittrèx.com. xn--ittrex-hrb.com. --> ƅittrex.com. www.xn--ittrex-hrb.com. --> www.ƅittrex.com. xn--bttx-vpa4unq.com --> bíttŕēx.com CISCO xn--csco-lza.com. --> cısco.com. xn--csco-qpa.com. --> cìsco.com. xn--csco-vpa.com. --> císco.com. xn--n1afa3fe.net. --> cisco.net. COINBASE xn--cinbase-10a.com. --> cõinbase.com. xn--cinbase-90a.com. --> cöinbase.com. xn--cinbase-d0a.com. --> còinbase.com. xn--cinbase-t0a.com. --> côinbase.com. xn--coibase-6za.com. --> coiñbase.com. xn--coibase-r13c.com. --> coiṇbase.com. xn--coinbae-fqb.com. --> coinbaşe.com. xn--coinbas-8xa.com. --> coinbasè.com. xn--coinbas-pya.com. --> coinbasê.com. xn--coinbas-z8a.com. --> coinbasė.com. xn--coinbse-9wa.com. --> coinbäse.com. xn--coinbse-lwa.com. --> coinbáse.com. xn--conbase-0ya.com. --> coìnbase.com. xn--conbase-feb.com. --> coīnbase.com. xn--conbase-hza.com. --> coînbase.com. xn--conbase-pza.com. --> coïnbase.com. xn--conbase-sfb.com. --> coınbase.com. xn--oinbase-l5a.com. --> ĉoinbase.com. xn--oinbase-txa.com. --> çoinbase.com. CREDIT SUISSE xn--crditsuisse-cbb.at. --> créditsuisse.at. xn--crditsuisse-cbb.ch. --> créditsuisse.ch. xn--crditsuisse-cbb.com. --> créditsuisse.com. xn--crditsuisse-cbb.de. --> créditsuisse.de. xn--crditsuisse-cbb.dk. --> créditsuisse.dk. xn--crditsuisse-cbb.eu. --> créditsuisse.eu. xn--crditsuisse-cbb.net. --> créditsuisse.net. xn--crdit-suisse-ceb.at. --> crédit-suisse.at. xn--crdit-suisse-ceb.ch. --> crédit-suisse.ch. xn--crdit-suisse-ceb.com. --> crédit-suisse.com. xn--crdit-suisse-ceb.de. --> crédit-suisse.de. xn--crdit-suisse-ceb.dk. --> crédit-suisse.dk. xn--crdit-suisse-ceb.net. --> crédit-suisse.net. xn--credit-sisse-klb.com. --> credit-süisse.com. EBAY xn--bay-ema.com. --> êbay.com. xn--eby-fla.com. --> ebáy.com. xn--eby-bla.com. --> ebày.com. xn--eby-hsb.com. --> ebɑy.com. xn--eby-jla.com. --> ebây.com. xn--80aj7b8a.com. --> eьay.com. www.xn--acebook-js3c.com. --> www.ḟacebook.com. www.xn--acebook-w1b.net. --> www.ƒacebook.net. www.xn--aceook-dg7b2i.com. --> www.ḟaceḃook.com. xn--acebook-js3c.com. --> ḟacebook.com. xn--aceook-dg7b2i.com. --> ḟaceḃook.com. xn--faboo-5xa8ftm.eu. --> faċėbooķ.eu. xn--fabook-qva9w.eu. --> faċëbook.eu. xn--facboo-k4a3x.eu. --> facėbooķ.eu. xn--facbook-4xa.com. --> facèbook.com. xn--facbook-lya.fr. --> facêbook.fr. xn--facbook-v8a.eu. --> facėbook.eu. xn--facebok-50a.fr. --> facebõok.fr. xn--facebok-60a.tk. --> faceboõk.tk. xn--facebok-h0a.eu. --> facebòok.eu. xn--facebok-x0a.fr. --> facebôok.fr. xn--faceboo-jhb.com. --> facebooĸ.com. xn--faceboo-jhb.net. --> facebooĸ.net. xn--faceook-pm3c.com. --> faceḅook.com. xn--faebok-xua7j.fr. --> façeboök.fr. xn--faebook-35a.com. --> faċebook.com. xn--fcbook-w0a9l.eu. --> fącėbook.eu. xn--fcebook-8va.com. --> fàcebook.com. xn--fceboo-w0a91b.eu. --> fącebooķ.eu. www.xn--fabook-41a0h.eu. --> www.faċėbook.eu. www.xn--fabook-xua89a.eu. --> www.façėbook.eu. www.xn--facebok-60a.tk. --> www.faceboõk.tk. www.xn--facebok-e1a.com. --> www.faceböok.com. www.xn--facebok-h0a.fr. --> www.facebòok.fr. www.xn--facebok-i0a.eu. --> www.faceboòk.eu. www.xn--faceok-sg7bq0e.com. --> www.faceḅọok.com. www.xn--faceook-1yb.com. --> www.faceƅook.com. www.xn--faebook-35a.com. --> www.faċebook.com. www.xn--faebook-64a.eu. --> www.faćebook.eu. www.xn--fcebook-s3a.tk. --> www.fācebook.tk. m.xn--80akppap2f62a.com. --> m.ғaceьooк.com. xn--80akppap2f62a.com. --> ғaceьooк.com. www.xn--oole-9pb06e.com. --> www.ǥooɡle.com. ww25.xn--gogle-uob.com. --> ww25.gơogle.com. xn--ggle-lqaa.com. --> gòògle.com. xn--gogl-1nd42e.com. --> google.com. xn--gogle-7ta.com. --> goôgle.com. xn--gogle-jua.com. --> göogle.com. xn--gogle-kua.com. --> goögle.com. xn--gogle-uta.com. --> gòogle.com. xn--gogle-vob.com. --> goơgle.com. xn--googl-n0a.com. --> googlę.com. xn--oogl-epa71n.com. --> ǵooglé.com. xn--oogle-v1a.xyz. --> ġoogle.xyz. xn--oole-9pb06e.com. --> ǥooɡle.com. www.xn--ggl-8la1ca.com. --> www.gòòglè.com. www.xn--ggle-lqaa.com. --> www.gòògle.com. www.xn--gogle-uta.com. --> www.gòogle.com. www.xn--googl-n0a.com. --> www.googlę.com. KRAKEN xn--80afhrc5a.com. --> кгaкeп.com. xn--krken-nra.com. --> kråken.com. xn--raken-gnb.com. --> ƙraken.com. xn--raken-n5a.com. --> ķraken.com. MICROSOFT ww8.xn--mcrosoft-tkb.com. --> ww8.mıcrosoft.com. www.xn--mcrosoft-c2a.es. --> www.mícrosoft.es. windows.xn--mcrosoft-c2a.com. --> windows.mícrosoft.com. ww8.xn--mcrosoft-tkb.com. --> ww8.mıcrosoft.com. www.xn--icrosoft-g89c.com. --> www.ṃicrosoft.com. www.xn--mcosoft-rfb211a.com. --> www.mıcɾosoft.com. www.xn--mcrosof-7ya00i.com. --> www.mícrosofť.com. www.xn--mcrosoft-21a.ch. --> www.mìcrosoft.ch. www.xn--mcrosoft-21a.com. --> www.mìcrosoft.com. www.xn--mcrosoft-21a.eu. --> www.mìcrosoft.eu. www.xn--mcrosoft-21a.fr. --> www.mìcrosoft.fr. www.xn--mcrosoft-9ib.com. --> www.mīcrosoft.com. www.xn--mcrosoft-c2a.com. --> www.mícrosoft.com. www.xn--mcrosoft-c2a.de. --> www.mícrosoft.de. www.xn--mcrosoft-c2a.es. --> www.mícrosoft.es. www.xn--mcrosoft-c2a.eu. --> www.mícrosoft.eu. www.xn--mcrosoft-g80d.com. --> www.mịcrosoft.com. www.xn--mcrosoft-l2a.com. --> www.mîcrosoft.com. www.xn--mcrosoft-tkb.com. --> www.mıcrosoft.com. www.xn--mcrosoft-tkb.de. --> www.mıcrosoft.de. www.xn--mcrosoft-u2a.com. --> www.mïcrosoft.com. www.xn--microsft-03a.com. --> www.microsóft.com. www.xn--microsft-9fd.com. --> www.microsȯft.com. www.xn--microsot-ez9c.com. --> www.microsoḟt.com. www.xn--microsot-x9b.com. --> www.microsoƒt.com. www.xn--micrsoft-y3a.com. --> www.micrósoft.com. xn--icrosoft-g89c.com. --> ṃicrosoft.com. xn--mcosoft-rfb211a.com. --> mıcɾosoft.com. xn--mcrosof-7ya00i.com. --> mícrosofť.com. xn--mcrosoft-21a.ch. --> mìcrosoft.ch. xn--mcrosoft-21a.com. --> mìcrosoft.com. xn--mcrosoft-21a.eu. --> mìcrosoft.eu. xn--mcrosoft-21a.fr. --> mìcrosoft.fr. xn--mcrosoft-9ib.com. --> mīcrosoft.com. xn--mcrosoft-c2a.com. --> mícrosoft.com. xn--mcrosoft-c2a.de. --> mícrosoft.de. xn--mcrosoft-c2a.es. --> mícrosoft.es. xn--mcrosoft-g80d.com. --> mịcrosoft.com. xn--mcrosoft-l2a.com. --> mîcrosoft.com. xn--mcrosoft-tkb.com. --> mıcrosoft.com. xn--mcrosoft-tkb.de. --> mıcrosoft.de. xn--mcrosoft-u2a.com. --> mïcrosoft.com. xn--micosoft-i0d.com. --> micɾosoft.com. xn--microoft-l9c.com. --> microșoft.com. xn--microsft-03a.com. --> microsóft.com. xn--microsft-9fd.com. --> microsȯft.com. xn--microsof-eyb.com. --> microsofť.com. xn--microsof-hk0d.com. --> microsofṭ.com. xn--microsot-ez9c.com. --> microsoḟt.com. xn--microsot-x9b.com. --> microsoƒt.com. xn--micrsoft-y3a.com. --> micrósoft.com. NETFLIX xn--etflix-vwa.com. --> ñetflix.com. www.xn--netflx-0va.com. --> www.netflìx.com. ns1.xn--ntflix-iva.com. --> ns1.nêtflix.com. ns2.xn--ntflix-iva.com. --> ns2.nêtflix.com. ww1.xn--etflix-vwa.com. --> ww1.ñetflix.com. ww35.xn--etflix-vwa.com. --> ww35.ñetflix.com. ww8.xn--etflix-vwa.com. --> ww8.ñetflix.com. www.xn--etflix-vwa.com. --> www.ñetflix.com. www.xn--netflx-0va.com. --> www.netflìx.com. www.xn--netflx-7va.com. --> www.netflíx.com. www.xn--netflx-7va.eu. --> www.netflíx.eu. www.xn--netflx-f9a.com. --> www.netflįx.com. www.xn--netflx-mwa.com. --> www.netflïx.com. www.xn--netflx-t9a.com. --> www.netflıx.com. www.xn--netlix-5tb.com. --> www.netƒlix.com. www.xn--ntflix-bva.com. --> www.nétflix.com. www.xn--ntflix-i4a.com. --> www.nėtflix.com. www.xn--ntflix-iva.com. --> www.nêtflix.com. xn--etflix-vwa.com. --> ñetflix.com. xn--netflx-0va.com. --> netflìx.com. xn--netflx-7va.com. --> netflíx.com. xn--netflx-7va.eu. --> netflíx.eu. xn--netflx-f9a.com. --> netflįx.com. xn--netflx-mwa.com. --> netflïx.com. xn--netflx-t9a.com. --> netflıx.com. xn--netlix-5tb.com. --> netƒlix.com. xn--ntflix-bva.com. --> nétflix.com. xn--ntflix-i4a.com. --> nėtflix.com. xn--ntflix-iva.com. --> nêtflix.com. NEW YORK TIMES xn--nytmes-5va.com. --> nytímes.com. xn--nytmes-dwa.com. --> nytîmes.com. xn--nytmes-yk8b.com. --> nytỉmes.com. xn--nytmes-yva.com. --> nytìmes.com. xn--ytimes-vwa.com. --> ñytimes.com. POLONIEX xn--polonex-3ya.com. --> polonìex.com. xn--oloiex-yt7b2e.com. --> ṗoloṇiex.com. xn--oloniex-c53c.com. --> ṗoloniex.com. xn--plonex-6va6c.com. --> pôloníex.com. xn--ploniex-l0a.com. --> póloniex.com. xn--polniex-ex4c.com. --> polọniex.com. xn--polniex-n0a.com. --> polóniex.com. xn--poloiex-s13c.com. --> poloṇiex.com. xn--polonex-cza.com. --> poloníex.com. xn--polonex-ffb.com. --> polonįex.com. xn--polonex-ieb.com. --> polonīex.com. xn--polonex-kza.com. --> polonîex.com. xn--polonex-sza.com. --> polonïex.com. xn--polonex-vfb.com. --> polonıex.com. xn--polonex-zw4c.com. --> polonịex.com. xn--polonix-ws4c.com. --> poloniẹx.com. xn--polonix-y8a.com. --> poloniėx.com. xn--pooniex-ojb.com. --> połoniex.com. www.xn--twittr-7ua.tv. --> www.twittèr.tv. www.xn--twittr-mva.tv. --> www.twittêr.tv. www.xn--twittr-tva.net. --> www.twittër.net. www.xn--twtter-4va.net. --> www.twítter.net. xn--twtter-cwa.com. --> twîtter.com. xn--twtter-q9a.net. --> twıtter.net. xn--twttr-7raz.com. --> twìttèr.com. xn--e1azaa2a9b5b.com. --> тшiттeя.com. WALMART xn--wlmart-ita.com. --> wàlmart.com. xn--walmrt-lta.com. --> walmàrt.com. xn--wlmart-bua.com. --> wälmart.com. xn--wlmart-ita.com. --> wàlmart.com. xn--wlmart-pta.com. --> wálmart.com. WELLSFARGO xn--wellsfarg-3mc.com. --> wellsfargơ.com. xn--wellsfarg-e7a.com. --> wellsfargó.com. xn--wellsfarg-tl7d.com. --> wellsfargọ.com. xn--wellsfrgo-51a.com. --> wellsfárgo.com. YAHOO news.xn--yah-inaa.es. --> news.yahóó.es. news.xn--yaho-7qa.biz. --> news.yahöo.biz. news.xn--yaho-7qa.info. --> news.yahöo.info. news.xn--yaho-8qa.biz. --> news.yahoö.biz. news.xn--yaho-nqa.com. --> news.yahòo.com. news.xn--yaho-sqa.es. --> news.yahóo.es. news.xn--yaho-tqa.es. --> news.yahoó.es. news.xn--yaho-tqa.org. --> news.yahoó.org. news.xn--yah-unaa.biz. --> news.yahöö.biz. news.xn--yah-unaa.info. --> news.yahöö.info. test.xn--yaho-7qa.biz. --> test.yahöo.biz. test.xn--yaho-7qa.de. --> test.yahöo.de. test.xn--yaho-8qa.biz. --> test.yahoö.biz. test.xn--yaho-8qa.info. --> test.yahoö.info. test.xn--yaho-sqa.org. --> test.yahóo.org. test.xn--yaho-tqa.com. --> test.yahoó.com. test.xn--yaho-tqa.es. --> test.yahoó.es. test.xn--yaho-tqa.org. --> test.yahoó.org. test.xn--yaho-yqa.com. --> test.yahoô.com. test.xn--yah-unaa.info. --> test.yahöö.info. wp.xn--yah-inaa.org. --> wp.yahóó.org. wp.xn--yaho-7qa.biz. --> wp.yahöo.biz. wp.xn--yaho-7qa.de. --> wp.yahöo.de. wp.xn--yaho-8qa.biz. --> wp.yahoö.biz. wp.xn--yaho-8qa.de. --> wp.yahoö.de. wp.xn--yaho-8qa.info. --> wp.yahoö.info. wp.xn--yaho-nqa.com. --> wp.yahòo.com. wp.xn--yaho-tqa.org. --> wp.yahoó.org. wp.xn--yaho-yqa.com. --> wp.yahoô.com. ww8.xn--yaho-yqa.com. --> ww8.yahoô.com. www.xn--yah-inaa.es. --> www.yahóó.es. www.xn--yah-inaa.org. --> www.yahóó.org. www.xn--yaho-7qa.biz. --> www.yahöo.biz. www.xn--yaho-7qa.de. --> www.yahöo.de. www.xn--yaho-7qa.info. --> www.yahöo.info. www.xn--yaho-8qa.biz. --> www.yahoö.biz. www.xn--yaho-8qa.info. --> www.yahoö.info. www.xn--yaho-nqa.com. --> www.yahòo.com. www.xn--yaho-ogb.com. --> www.yahoơ.com. www.xn--yaho-tqa.com. --> www.yahoó.com. www.xn--yaho-tqa.es. --> www.yahoó.es. www.xn--yaho-x0b.com. --> www.yahȯo.com. www.xn--yah-unaa.biz. --> www.yahöö.biz. www.xn--yah-unaa.info. --> www.yahöö.info. www.xn--yaoo-674a.com. --> www.yaḣoo.com. www.xn--yaoo-6xa.com. --> www.yaħoo.com. xn--ahoo-4ra.com. --> ýahoo.com. xn--yah-inaa.es. --> yahóó.es. xn--yaho-7qa.biz. --> yahöo.biz. xn--yaho-7qa.info. --> yahöo.info. xn--yaho-8qa.info. --> yahoö.info. xn--yaho-nqa.com. --> yahòo.com. xn--yaho-ogb.com. --> yahoơ.com. xn--yaho-sqa.org. --> yahóo.org. xn--yaho-tqa.es. --> yahoó.es. xn--yaho-tqa.org. --> yahoó.org. xn--yaho-x0b.com. --> yahȯo.com. xn--yaho-yqa.com. --> yahoô.com. xn--yah-unaa.biz. --> yahöö.biz. xn--yah-unaa.info. --> yahöö.info. xn--yhoo-0na.com. --> yàhoo.com. xn--yhoo-loa.info. --> yähoo.info. xn--yho-qla5g.info. --> yähöo.info. xn--yho-qla6g.info. --> yähoö.info. WIKIPEDIA xn--wiipedia-nmb.com. --> wiĸipedia.com. xn--wikipdia-50a.cat. --> wikipèdia.cat. xn--wikipdia-f1a.com. --> wikipédia.com. xn--wikipdia-f1a.net. --> wikipédia.net. xn--wikipdia-f1a.org. --> wikipédia.org. xn--wikipeda-81a.com. --> wikipedìa.com. xn--wikipeda-i2a.org. --> wikipedía.org. xn--wikpedia-e2a.org. --> wikípedia.org. xn--wkipeda-rfbf.com. --> wıkipedıa.com. xn--wkipedia-c2a.org. --> wíkipedia.org. xn--wkipedia-u2a.com. --> wïkipedia.com. xn--wkpedia-7yab.org. --> wíkípedia.org. xn--wkpedia-rfbb.com. --> wıkıpedia.com. xn--wkpedia-zyab.com. --> wìkìpedia.com. YANDEX www.xn--yande-vx1b.com. --> www.yandeẋ.com. www.xn--yanex-vb1b.com. --> www.yanḋex.com. www.xn--yndex-0jc.com. --> www.yɑndex.com. xn--yande-uze.ru.ru. --> yandex.ru.ru. xn--yndex-3wa.com. --> yąndex.com. YOUTUBE xn--yotube-jnb.com. --> yoűtube.com. xn--youtub-nva.com. --> youtubê.com. xn--youtue-7g7b.com. --> youtuḇe.com. ww11.xn--yotube-jya.com. --> ww11.yoùtube.com. ww43.xn--yotube-4ya.com. --> ww43.yoütube.com. www.xn--yotube-4ya.com. --> www.yoütube.com. www.xn--youtue-7g7b.com. --> www.youtuḇe.com. www.xn--youube-kmc.com. --> www.youțube.com. xn--outube-9ya.com. --> ýoutube.com. www.xn--outube-9s8b.com. --> www.ỳoutube.com. www.xn--outube-9ya.de. --> www.ýoutube.de. MISC: LUXURY BRANDS www.xn--gucc-tpa.com. --> www.guccì.com. xn--gucc-tpa.com. --> guccì.com. xn--herms-7ra.com. --> hermès.com. www.xn--herms-7ra.fr. --> www.hermès.fr. www.xn--lousvuitton-qcb.com. --> www.louísvuitton.com. MISC: SOCIAL PLATFORMS xn--nstagram-11a.com. --> ìnstagram.com. xn--nstagram-skb.com. --> ınstagram.com. www.xn--nstagram-skb.com. --> www.ınstagram.com. xn--istagram-7pb.com. --> iņstagram.com. www.xn--imgu-t4a.com. --> www.imguŕ.com. xn--imgr-sra.com. --> imgúr.com. xn--whatspp-lwa.com. --> whatsápp.com. xn--whtspp-cxcc.com. --> whɑtsɑpp.com. Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on September 17, 2019, 08:41:49 AM Nice and informative article @wwzsocki. I found an article where it says how to avoid Punycode attacks and also who all are affected by that. I would like to include that here. Some of the examples of Punycode attacks with big brands - https://talkimg.com/images/2023/11/21/FLmg2.png Check the 7 Ways to avoid a Punycode attack -
Thanks for this comment and info. I already awarded you with merit and will use it in my OP if you don't mind? I want to add all these points from "7 Ways to avoid a Punycode attack". I think it will make this article complete when I will add it in the end. Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on September 18, 2019, 03:34:51 PM Here another great example of Punycode Homograph Phishing attack. This time Ploniex exchange is targeted. Just look how similar it looks compared to the original page.
https://talkimg.com/images/2023/11/21/FLPdc.png The only difference between the original page and this malicious one is that the hacker misspelled the phrase "Sign in" as "Sing in" a couple of times. What is different in this attack is that the SSL certificate is shown as valid: https://talkimg.com/images/2023/11/21/FLRFP.png Of course is a valid SSL because this is relatively easy to do for experienced hackers, especially when Homographs are used to change the URL. https://www.farsightsecurity.com/txt-record/2018/01/17/mschiffm-touched_by_an_idn/ Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on September 20, 2019, 08:59:50 AM Screenshot of a suspected Facebook phishing website, another Punycode Homograph Phishing attack.
https://talkimg.com/images/2023/11/21/FLThq.png Only this time is much easier to see that something is wrong with these Facebook pages, even for an untrained eye, because the SSL certificates are bad and displayed in red. https://talkimg.com/images/2023/11/21/FLtlj.png I hope that all these examples will help to identify Punycode phishing attacks. One has to check everything three times to be safe online today and there are no shortcuts. https://www.farsightsecurity.com/txt-record/2018/01/17/mschiffm-touched_by_an_idn/ Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: tranthidung on September 20, 2019, 09:12:13 AM Well done!
You collected nice visual examples, but I think you can make your visual examples better by crop unused parts in order to display the part of phishing sites with punny codes. Focusing on the part of phishing sites' addresses. By looking your current images, readers are unable to imagine how punny codes works on phishing sites. :D Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: dkbit98 on September 20, 2019, 10:39:52 AM One more Punycode example reported
with stéllar and mediụm websites More information in Scam Accusations: https://bitcointalk.org/index.php?topic=5186085 PS @wwzsocki I also added your Punycode topic link to my Quizzes topic: [LEARN] Phishing Quizzes - Beginners & Experts (https://bitcointalk.org/index.php?topic=5178375) Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on September 21, 2019, 08:30:45 PM @wwzsocki I also added your Punycode topic link to my Quizzes topic: [LEARN] Phishing Quizzes - Beginners & Experts (https://bitcointalk.org/index.php?topic=5178375) Thank you very much for the links spread. We have to keep informing people about these threats because the situation is getting only worse with time. To be honest, if you don know about Punycode and how to protect yourself from Homograph Phishing attacks, you can be very easy a victim of a faked website. Even for a trained eye is sometimes very hard to spot the difference, like with this Binance example which is my favorite ;). The most tricky phising website i've heard was this one. Looks like Binance.com but there are no "n" . This is strange n with dot at the bottom. https://talkimg.com/images/2023/11/21/FLF6G.png source (https://steemit.com/binance/@sriz/binance-phishing-alert) How to deal with such a phishing address? Those dots are almost unnoticeable. Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on September 23, 2019, 10:02:06 AM ...I think you can make your visual examples better by crop unused parts in order to display the part of phising sites with punny codes. Focusing on the part of phising sites' addresses... Thank you very much for this suggestion. This is true and I have already changed the sizes of screens, not only in this thread but in many others, which I have already published. To be honest I never changed the size only published screen as it was but I see it was a mistake because posts look so much better when everything is big or small enough and match the rest. Is much easier to see the details if needed and the post is not so extended because of the big screens. As I said already changed a couple of my threads and they look a lot better now. Thanks mate ;). Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on September 26, 2019, 03:55:17 PM You actually spent significant amount of time to make the thread, that gives some information I did not know... You are right that it took a while but this doesn't matter if I know that I shared information you were not aware of :D, especially about Punycode, which is one of the biggest threats to our online security lately. Even if you know about it, sometimes these URLs are so similar that is hard to tell if this is phishing attack or an original site. I know because I was already exposed to such a Homograph phishing attack on a fake exchange website, but luckily password manager saved me because haven't automatically filled the username and password, which was a red flag for me, because all important websites are stored in the password manager. I always login automatically and even don't remember passwords because they are created by the password manager and very complex. Still, I haven't realized that this is a phishing site and tried a couple of times to get the password filled by the browser and to log in before I understood that I am on phishing website which uses Punycode Homograph attack to steal my passwords. I knew about this threat from some time, anyways hackers almost got me. This is why I wrote this thread because I understand that if somebody is not aware of this threat, then there is a big chance that sooner or later will be a victim of a phishing website which uses Punycode to change the URLs. Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on October 02, 2019, 07:52:15 AM Another scary example of Punycode phishing attack in use: Real PayPal.com Versus Fake PayPal.com.
https://talkimg.com/images/2023/11/21/FLNVD.png If the domain, created using Cyrillic scripts "raural.com" was registered, the way that Unicode-browsers will actually render that domain in Latin is as "paypal.com." In theory, phishers could pass around that link and set up a fake version of the PayPal site to harvest logins and credit card data. Not all Latin letters are represented in Cyrillic, for instance, but for companies that can have their brand compromised, we hope they look at locking those domains up quickly. Pretty scary, no? https://mashable.com/2010/01/01/idn-phishing/?europe=true#QqNLPKgAhmqM Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on October 11, 2019, 10:05:19 AM Today I found that there are a couple of addons for Google chrome and other browsers that are vulnerable to the Punycode and Homograph Phishing attacks.
PhishProtect Beta: Free open-source tool to protect against homograph attacks and zero-day phishing powered by AI and Computer Vision. The tool redirects the browser to a warning page when IDN/Unicode URL or zero-day phishing website is detected and the full Punycode (ASCII) representation is displayed. https://chrome.google.com/webstore/detail/phishprotect-beta/mikecfgnmakjomepfcghpbhfamjbjhid Punycode alert: extension that alerts you when a Unicode URL has been opened preventing phishing attacks. URLs can be registered in Unicode and some scams can be made with URLs looking like official websites. This extension alerts you when the URL is of this kind. https://chrome.google.com/webstore/detail/punycode-alert/odbbcdajedbapmgpgfacfigdpbdahenh These two are not known so much but have a couple of thousands of users but is hard to tell something more about them and to find more info or reviews online. The last addon I found is Punycode Domain Detection and is the most known from these three. I found a couple of articles about it. Developed by Phish.ai and released a Google Chrome extension that can detect when users are accessing domains spelled using non-standard Unicode characters and warn the users about the potential of a homograph attack. https://i.imgur.com/gpN5UQl.png Here link: https://chrome.google.com/webstore/detail/punycode-domain-detection/fkenopinnpinfcjneoanjoimhkmdcjne If you wish to read more here is the article I used as a source for information: https://www.bleepingcomputer.com/news/security/chrome-extension-detects-url-homograph-unicode-attacks/ Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: yazher on October 11, 2019, 10:42:43 AM This is some scary phishing technique, another worth thread to post on my daily news today. I'll make them aware of this kind of phishing.
A few months ago I entered a fake Bitcointalk site but instead of .org the fake one is .to I'm close to getting hack by that site because I am already in the login window. I was about to sign in when I see something strange with the domain name and read it again, Damn, it was not the original site rather it's the fake one. Base on your examples they are only interested in hacking Big exchanges account, If they make something like a Bitcointalk site, many users will fall and become victims with this kind of phishing. That's why I need them to be aware of this kind of stuff. Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: magneto on October 11, 2019, 11:43:41 AM Extremely comprehensive guide. I did know of these phishing websites before but didn't know the exact method that scammers seem to do this by.
I think that browsers should definitely show these codes by default, or at least have better algorithms that detect when the user is visiting a fraudulent site. Of course it is impossible to keep up with these phishers 100% all the time, but it should at least get periodically updated (this sort of scam has been around for a while now). The majority of these phishing sites come from google ads as far as I know. You should never click on any of them. Even top search results can sometimes contain these sites if the site is relatively new. As others would have probably suggested, even though bookmarks may seem like a hassle, they are definitely worth it. Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: Lafu on October 11, 2019, 12:19:51 PM Great post and thread , sadly i have just seen it now lol :D !
Nice information and explain about the whole thing , respect ! This deserved 3 Merits from me to you , so you Hit now the Legendary Rank with it ! Congrats for the Legendary and welcome in the Club ! 8) Regards Lafu Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on October 11, 2019, 01:19:46 PM Great post and thread , sadly i have just seen it now lol :D ! Nice information and explain about the whole thing , respect ! This deserved 3 Merits from me to you , so you Hit now the Legendary Rank with it ! Congrats for the Legendary and welcome in the Club ! 8) Regards Lafu Thank you very much Lafu!!! This is a real achievement for me, so I will remember this first post as a Legendary member and those 3 merits which made it possible for a very long time, probably forever :D. After so many years, I finally got to the most famous Legendary club, it's a little hard to believe, that it is right now and on the other hand it lasted for so long. Mission accomplished http://emots.yetihehe.com/1/muza.gif Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: crypto mania on October 12, 2019, 12:31:28 PM ...Congrats for the Legendary and welcome in the Club ! 8).. CONGRATUALTIONS!!! You finally did it. Amazing achievement taking into consideration that this only took 2 years. As you see I am back after so long again because of you. I will to be more active because is a shame to left this account after so much work I already did. One more time thank you for everything you did for me on the forum and sorry for all the problems you had because of me. I see that your posting skills are indeed on a much higher level and hovering merits is now for you something common. This Punnycode thread is one of best I have read lately about security breaches on Bitcointalk forum, kudos for that. Title: Re: What is Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on October 24, 2019, 09:32:14 AM ...I think that browsers should definitely show these codes by default, or at least have better algorithms that detect when the user is visiting a fraudulent site. Of course it is impossible to keep up with these phishers 100% all the time, but it should at least get periodically updated (this sort of scam has been around for a while now)... Exactly, I was wondering about the exact same thing which is why the hell browsers just don't implement something which will show the real URL, message in a popup or something else which will be really helpful and easy to use and understand. Despite everything as for now, there is no solution provided from browsers creators and all I found was a couple of addons and already written about this a couple of posts above. ...The majority of these phishing sites come from google ads as far as I know. You should never click on any of them. Even top search results can sometimes contain these sites if the site is relatively new... This is, of course, true what you have written but outside Google Ads are also plenty of them. I have Ad blockers installed (uBlock Origin) and still already was a couple of times on such phishing websites that use Punycode and Homograph Phishing attacks to steal your passwords and only thanks to my password manager I haven't shared it. I think we have to prepare for even the worst situation in the future because phishing websites count is growing with insane speeds. Today I have read a great post about this subject in this thread: Re: Half of all Phishing Sites Now Have the Padlock Sign (https://bitcointalk.org/index.php?topic=5078786.msg52857487#msg52857487) Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on November 25, 2019, 09:23:30 AM I found a great service called Gluee (https://www.gluee.com/tools/) with multiple tools for webmasters and developers but the most important thing for us is that there are a couple of tools to protect against Punycode vulnerability.
https://i.imgur.com/YxvEKQ1.png https://www.gluee.com/tools/ As you can see the first one called Punycoder (https://www.punycoder.com/) is a tool that converts text with special characters (UNICODE) to the Punycode encoding (just ASCII) and vice versa. This is a great tool to check all suspicious Phishing Punycode URLs. Just copy and paste the needed link. https://i.imgur.com/RS0gPdq.png https://www.punycoder.com/ Punycoder (https://www.punycoder.com/) - Punycode converter or an IDN converter, a tool for Punycode to Text/Unicode and vice-versa conversion. I advise checking the other tools from this website because they can help to stay safer online if we use them. Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on September 12, 2020, 08:07:49 PM Wandera (https://www.wandera.com/cloud-security-report-september-2020/) - the world's largest provider of cloud security for remote workers, just published its Cloud Security Report for September 2020.
In which they refocus on phishing, looking at the length of phishing URLs compared to safe URLs, but nor only. Researches from Wandera (https://www.wandera.com/cloud-security-report-september-2020/) found that the length of a URL can be a telltale sign of a phishing attack. Quote legitimate URLs typically sit between 20 and 44 characters, anything beyond that is most likely a phishing link. On average, requests made to unsafe domains were 1.8x the length of requests made to safe domains. Wandera (https://www.wandera.com/cloud-security-report-september-2020/) researches warn that spotting suspicious links could be very problematic on smartphones and tablets because modern browsers truncate URLs for a sleeker design. Quote Users need to apply a greater level of scrutiny when using browsers on mobile devices, particularly given the rise in use of punycode in phishing URLs. I encourage everyone to read about Punycode and Phishing attacks, in this report are many interesting pieces of information, like the days of the week in which people visit phishing sites the most. Quote ... largely stable during the week aside from Monday... Interestingly, Saturday was the day with the highest number of requests made to phishing domains. Here link to the full report: https://www.wandera.com/cloud-security-report-september-2020/ Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: adamvp on November 05, 2020, 05:56:35 PM Very valuable work wwzoscki! I was aware of phising threats, but I have never heard about such thing as punnycode. And it is one of most dangerous one, sometimes it needs to enter dangerous side to harm your computer. Many thanks, good job!
Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on November 07, 2020, 05:54:21 PM Very valuable work wwzoscki! I was aware of phising threats, but I have never heard about such thing as punnycode... Thank you @Adamvp for your kind words. I created this thread because I was almost hacked using Punycode attack, thanks to Metamsk and password manager I was able to spot this on time but to be honest, I already started to write a password manually (few first ciphers) when I stopped because something filled wrong about this login. I was logged in earlier and normally my password and username are automatically filled when I am on the correct website and here it wasn't, despite I was logged in a few minutes earlier and only closed the tab. Additionally on the correct website, when I start to type email or password the login details came up automatically thanks to the password manager, and here it wasn't. Second-time Metamask warned me that I am on a phishing website and didn't let me proceed further. So, I started to dig this Punycode topic and found that we are almost defenseless because these pishing URLs are exactly the same or almost identical to the original. I think, I am quite paranoid about privacy and malicious threats and if I was so easily almost hacked I can imagine that many people are vulnerable every day even without knowing it. So if this thread helps somebody to defend himself or at least to be aware of the danger, then I am ok with that and think that the job is done ;). Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: OcTradism on November 08, 2020, 10:14:24 AM I created this thread because I was almost hacked using Punycode attack, thanks to Metamsk and password manager I was able to spot this on time but to be honest, I already started to write a password manually (few first ciphers) when I stopped because something filled wrong about this login. Your story sounds like you chose "Remember my password on this site (something like that)" on the browser you used to log in. I don't think it is good way to do despite of its simplicity and convenience. I never choose this option on any browser and everytime I log in, I manually type passwords.I was logged in earlier and normally my password and username are automatically filled when I am on the correct website and here it wasn't, despite I was logged in a few minutes earlier and only closed the tab. Additionally on the correct website, when I start to type email or password the login details came up automatically thanks to the password manager, and here it wasn't. Second-time Metamask warned me that I am on a phishing website and didn't let me proceed further. Some sites have their security methods to automatic log out your accounts (on browser, on mobile) each month. And what you said is not always true that the site you are logging in your account is a phishing site. Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on November 09, 2020, 11:33:15 PM Your story sounds like you chose "Remember my password on this site (something like that)... No, not exactly, I had it saved in my password manager, and every time I start to type he show the right option right away and here it was empty. Still, I didn't realize and started to manually provide the password, luckily I don't know it and I wasn't able to figure it out, luckily I recognized something is wrong and haven't provided any valuable info to the hackers. It's really tricky and to be honest, we should check all URLs we are not fully sure of. Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: adamvp on November 24, 2020, 11:46:31 PM I created this thread because I was almost hacked using Punycode attack, thanks to Metamsk and password manager I was able to spot this on time but to be honest, I already started to write a password manually (few first ciphers) when I stopped because something filled wrong about this login. Your story sounds like you chose "Remember my password on this site (something like that)" on the browser you used to log in. I don't think it is good way to do despite of its simplicity and convenience. I never choose this option on any browser and everytime I log in, I manually type passwords.I was logged in earlier and normally my password and username are automatically filled when I am on the correct website and here it wasn't, despite I was logged in a few minutes earlier and only closed the tab. Additionally on the correct website, when I start to type email or password the login details came up automatically thanks to the password manager, and here it wasn't. Second-time Metamask warned me that I am on a phishing website and didn't let me proceed further. Some sites have their security methods to automatic log out your accounts (on browser, on mobile) each month. And what you said is not always true that the site you are logging in your account is a phishing site. Manualy typing is very dangerous .. it needs only your computer is infected by keylogger and hacker will know your password immediatelly! Only good password manager (with good encryption,) is reliable solution!! Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on November 26, 2020, 03:54:23 PM Manualy typing is very dangerous... Only good password manager (with good encryption,) is reliable solution!! I agree but despite everything and that I had one, still, I started to manually log in when there was no response from the password manager. As I said, I was lucky to recognize something is wrong but can assume that many people can't and login every day on phishing sites. Thanks to this event, this thread came to existence, I hope that at least a few members more are aware of this threat thanks to my writings. Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: adamvp on December 08, 2020, 07:17:57 PM Yes, I was made aware of this danger thanks to your thread, I think this thread should be pinned!
Or maybe this is a thread about biggest threats and it could be linked there? Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on January 24, 2021, 08:21:42 PM Or maybe this is a thread about biggest threats and it could be linked there? Don't know to be honest but I fully agree with you that Punycode is the biggest threat for normal internet user today when it comes to browsing the web and using URLs. Despite many tools I have found and even reviewed in this thread, still I haven't found even one which will be easy to use and widely distributed like an extension or something. This is for my very surprising that nobody created something like this because taking in consideration the scale of danger, even paid version could be easily a big success And now shout out to the community, if anybody have seen or uses any tool that helps with Punycode and Homographs, please share! Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: o_e_l_e_o on January 24, 2021, 10:13:36 PM Despite many tools I have found and even reviewed in this thread, still I haven't found even one which will be easy to use and widely distributed like an extension or something. You don't really want to install an extension for something so simple to solve. Every extension you install is a security risk, and unless you sit down and review all the code yourself (which few users have the knowledge and skill set to do, and even fewer actually do it), then you are introducing more and more unknown and potentially malicious code in to your browser with every extension you install. With any browser, you should be aiming to keep the number of extensions you use to the bare minimum, and they should only be ones which are open source and independently reviewed unless you are reviewing the code yourself. Malicious extensions can do everything from change bitcoin addresses in your clipboards through to stealing your passwords and your coins.In Tor or Firefox, simply open a new tab, enter about:config, accept the warning, and change the preference "network.IDN_show_punycode" from false to true. Chromium based browsers now show punycode as default, provided they are up to date. Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on January 25, 2021, 04:21:53 PM ...In Tor or Firefox, simply open a new tab, enter about:config, accept the warning, and change the preference "network.IDN_show_punycode" from false to true. Chromium based browsers now show punycode as default, provided they are up to date. Thank you very much for your input @Oeleo. It would be great if you can show how it's look like by default in Google browser? Is there any message shown that this is Punycode, don't understand quite correctly because don't use it from quite some time, Still, I use Brave which is also build on Chromium and haven't noticed anything to be honest. I will soon make an tutorial with screens how to set up this on Firefox for less experienced members but would be great to show also some Google examples. Please explain more exactly how it works on Google now? Does it mean they don't show URLs translated to ASCII only original once? Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: o_e_l_e_o on January 25, 2021, 05:02:26 PM It would be great if you can show how it's look like by default in Google browser? I'm afraid I can't since I flat out refuse to install anything related to Google on my devices, especially not Google Chrome since it is spyware and a privacy nightmare.According to the Chrome Release Notes here (https://chromereleases.googleblog.com/2017/04/stable-channel-update-for-desktop.html), this has been addressed (CVE-2017-5060) since version 58, and Chrome and Chromium based browsers should display the raw "xn--abc123" code. There are images of this on this page: https://www.thesslstore.com/blog/security-changes-in-chrome-58/ Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: Learn Bitcoin on December 03, 2023, 11:12:07 AM A friendly bump!
I believe this thread needs more attention from everyone, so it gets bumped. People need to read this and understand the importance of the Punycode and Homograph phishing attacks. I thought I knew many things, but I am being honest here, I never heard about it before this week when SFR10 mentioned it. He forwarded me to this thread, which everyone should read and know. @wwzsocki, I had a fight with you in another thread but the truth is, I never wanted to engage in a fight but you got insulted by me. I am sorry for that. I hope you didn't take it with heavy heart. Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: wwzsocki on December 04, 2023, 12:48:16 AM @wwzsocki, I had a fight with you in another thread but the truth is, I never wanted to engage in a fight but you got insulted by me. I am sorry for that. I hope you didn't take it with heavy heart. I keep sitting here and look for posts in my account history to recall what was this all about but can't find anything. I hope it wasn't done on purpose, maybe language barriers, please send me link if there is any or remind (maybe in DM?) what was that all about, I hope it wasn't my intention to insult you but if it was then one more time i am very sorry and hope that you will be able to accept my apology A friendly bump! I believe this thread needs more attention from everyone, so it gets bumped. People need to read this and understand the importance of the Punycode and Homograph phishing attacks. I thought I knew many things, but I am being honest here, I never heard about it before this week when SFR10 mentioned it. He forwarded me to this thread, which everyone should read and know. I have edited/updated a bit for beter read, thanks for bumping it, also hope that more people will read about "Punycode and how to protect yourself from Homograph Phishing attacks" Punycode and Homograph Phishing attacks are the easiest way to get scammed and many even experienced internet users are not able to recognize it, enough to type username and password on fake website Lately this scam is even better and there are fake websites that redirect to original website after hitting login for example, so there is small chance to recognize that something gone wrong, people think "oh failed login, for sure typed wrong, fat fingers" and try one more time, which is successful, they don't expect that somebody just got access to this account. I myself almost shared password to one of my exchanges accounts, so I am totally aware how well made fake websites are, at first look I wasn't able to recognize it, don't mention spoofed URL, of course it looked exactly same as original The best practice to be safe is to use links only from trusted sources, direct links and bookmark them. Password manager is also very helpful, in my case switched on the red lamp when i wasn't able to login to the fake website when I was simply clicking on username, it should fill automatically and I got nothing, couldn't login even if I wanted to because didn't knew the password, it is strong and generated by the password manager. always use Two-Factor Authentication (2FA) if possible Title: Re: UPDATED!!! Punycode and how to protect yourself from Homograph Phishing attacks? Post by: Learn Bitcoin on December 04, 2023, 06:30:38 AM I hope it wasn't my intention to insult you but if it was then one more time i am very sorry and hope that you will be able to accept my apology . You didn't insult me. It was my bad buddy! If you already forgot what happened, I don't want to remind you about it anymore. But I can give you a hint that it occurred in the Sinbad Bitcoin prize prediction thread. I am genuinely sorry, and I hope you didn't take it with a heavy heart. I have edited/updated a bit for beter read, thanks for bumping it, also hope that more people will read about "Punycode and how to protect yourself from Homograph Phishing attacks" Thanks for updating the thread. As I said, I had never heard about it before SFR10 mentioned this. I never knew something like this existed. I bumped this one because I believe more people should read about it. Title: Re: Punycode and how to protect yourself from Spoofed URLs and fake websites. Post by: wwzsocki on December 04, 2023, 04:11:13 PM You didn't insult me. It was my bad buddy! If you already forgot what happened, I don't want to remind you about it anymore. But I can give you a hint that it occurred in the Sinbad Bitcoin prize prediction thread. I am genuinely sorry, and I hope you didn't take it with a heavy heart. oh thanks for explanation, I don't like personal fights and am immediately nervous to such extend that i couldn't understand what was written, don't know what to think about this, i need a chill pill i assume 8) no i don't remember this at all, i am such type that usually don't involve in fights and always try to be polite. I've never been able to hold a grudge against someone for long Title: Re: Punycode and how to protect yourself from Spoofed URLs and fake websites. Post by: Learn Bitcoin on December 05, 2023, 01:21:23 AM oh thanks for explanation, don't know how I understood you wrongly, now when i read it again is obvious (written in plain English :D) Thanks for understanding. No one is above the mistakes, and I guess I was the one who unintentionally wrote something bad. I am happy to know you didn't take it too heavily, and even you forgot that already. I don't like personal fights and am immediately nervous when i read about to such extend that i haven't understood you correctly, I also like to stay neutral all the time, but sometimes I do something that is not acceptable to others. But, I believe I can handle criticism, and I understand what mistakes I made in the past. Saying sorry for my own mistakes won't make me down. So, when it's my mistake, I would be very much happy to apologize. don't know what to think about this, i need a chill pill i assume 8) Title: Re: Punycode and how to protect yourself from Spoofed URLs and fake websites. Post by: wwzsocki on December 05, 2023, 10:00:57 AM ... ok let's stop with this offtopic and bring back discussion about Homograph Phishing attacks have you found any new fake website with spoofed name worth attention and sharing lately? known exchange or wallet maybe? I keep thinking if I shall add links to your thread and the others I have seen when i was reading your comments about Punycode and Homograph Phishing attacks to make it easy to find for members that are interested and want to read more about this. I think is worth to do it, if you agree with me and have any links that I can add please share, I will take a look and add the most valuable once or all of them, we will see Title: Re: Punycode and how to protect yourself from Spoofed URLs and fake websites. Post by: Learn Bitcoin on December 06, 2023, 01:01:29 PM have you found any new fake website with spoofed name worth attention and sharing lately? known exchange or wallet maybe? Unfortunately, I haven't noticed any spoofed website names yet. As you already know, I didn't even know about it. I don't know If I have visited such a link before without understanding that this is not the real website. If I find anything like this in the future, I will keep update you about it. I keep thinking if I shall add links to your thread and the others I have seen when i was reading your comments about Punycode and Homograph Phishing attacks to make it easy to find for members that are interested and want to read more about this. I think is worth to do it, if you agree with me and have any links that I can add please share, I will take a look and add the most valuable once or all of them, we will see I always agree with something that may help forum people. As I said, I didn't find any website yet as I wasn't aware about it. Moreover, I do not actively search for them. The scam websites links I gathered from a random search when I was interested about a specific miner. Let me know what should I do to help everyone. |
