Phishing Technique – Internationalized Domain Names

Out of the four spellings of breitbart.com, which of these is correct? This isn’t a trick question, only one is spelled right.

“breitbart.com”  |  “brеitbart.com” | “bгeitbart.com” | “breіtbart.com”

It’s the first one. You might be wondering, how these are different, they all appear to be correct. The trick I used to do this isn’t very sophisticated, however, not many people know about it. It’s called “Punycode”. Punycode allows us to use non latin unicode characters in domain names. In the three false spellings of breitbart.com above, I’ve used the cyrillic letters: ” е “, ” г ” and ” і ” to make these appear as the correct spelling of the domain (visually), when in reality, they will resolve to something like: xn--britbart-d8g.com (This is the format for Internationalized Domain Names (IDN)). The legitimate use for this allows domains that might have multiple meanings (depending on your language) to be localized. Alternatively, it can be used to create very high quality spear phishing campaigns.

 

How do I punycode a string?

Here is a good website for easily converting to and from Punycode: https://www.punycoder.com/

 

How do I register an Internationalized Domain Name?

On the verisign website, they list vendors that are permitted to register IDN’s here: https://www.verisign.com/en_US/domain-names/domain-registrar/index.xhtml

But I love AWS because it’s cheap and easy. Route53 makes DNS trivial, and has free WHOIS lookup protection, so I prefer to register through them. Just follow the normal instructions for registering a domain name through Route53, and use your punycoded domain name (Not the FQDN).

More shennanigans, what else can be pulled?

For hyper-realism, consider using different fonts/ type-faces to mask slight differences in the character sets.

 

You Might Also Like