When visiting a domain name containing a Unicode character that visually resembles an ASCII character, your browser will transform the Unicode characters to Punycode in the address bar to prevent homograph attacks.
For example: the Cyrillic
а (codepoint U+0430) totally looks like the Latin
a (codepoint U+0061). When visting
brаm.us (with the Cyrillic
а in place of the Latin
a), your browser will transform the URL to
Turns out this is not always the case though:
Chrome’s (and Firefox’s) homograph protection mechanism unfortunately fails if every characters is replaced with a similar character from a single foreign language. The domain “аррӏе.com”, registered as “xn--80ak6aa92e.com”, bypasses the filter by only using Cyrillic characters.
TIP: Whenever you’re in doubt when receiving a mail from a “well known party” containing a link, I recommend manually typing the URL into the address bar.
Phishing with Unicode Domains →
Sidenote: Worth digging up is this tweet from 2010 by my pal Manuel:
Non-latin alphabet urls go live and a new era of phishing begins. Spot the difference: http://WWW.HSBC.COM vs. http://WWW.НЅВС.COM
— Manuel Martensen (@manuelmartensen) May 6, 2010
Leave a comment