Punycode, Homographs, and Other URL Spoofing Techniques You should be Aware of

The average person is becoming too smart for most hackers. They know a spoofed website when they see it. Long ago they’ve learned to check the URL before they begin blithely filling in a form with personal information. They have learned how to hover over a link to see where it really goes. Even though the link may say Facebook Login, it may go to a completely different place. That place can usually be seen in the lower left hand corner of the screen when the cursor hovers over the link. (Try this for the link above.)

But hackers are creative people. What if they could make a phishing link still look legitimate even when hovered over? So far, this has only been found in PowerPoint slides when simply hovering will lead to a malware infection. In fact, if hackers could learn how to spoof a URL while hovering over a link, they would have a powerful weapon. So far as I’ve been able to find, it may only be possible to block the URL from showing in a mouse hover, which can also be dangerous. In order to make a fake URL appear on hovering, the attacker would somehow need to manipulate the browser. This may be possible by using malware that gives access to browser settings, but, so far, hackers have not been able to do this. In other words, hovering is the most powerful anti-phishing tool available.

The best I’ve been able to achieve on hovering is a look-alike URL surrounded with links to the target site (this website) and real Facebook connections.  

Facebook Gives Free Bitcoins

Check out these free Facebook giveaways.

The URL shown in the top line (https://www.facebook.xn--com-9o0a/) is the punycode version of facebook.com. Punycode is an algorithm that converts Unicode domain names to ASCII. Think of ASCII as all the normal letters and numbers available in the English alphabet. Domain names are only understood if they are written in ASCII. But what if I speak only Russian and want to register a Russian name? That’s where punycode comes in. It will ‘translate’ the Russian characters (Unicode) into ASCII characters. So this site, сапфиры.com would be translated into ASCII as (xn--80aqufbu5c.com) which can now be navigated to on a normal browser. (The link goes to an expired site.). Many sites, such as Facebook, protect themselves by registering a punycode site like the one shown above so that no one else can use it. Punycode converters can be used to find the punycode equivalent of any website. Here’s one.

So, keep in mind that any time a foreign language character is used in a domain name, it will be transformed into regular ASCII code. And that’s where hackers come in. They may show you a link that looks like it goes to a valid site when, in fact, it goes to a phishing page. It looks valid because one of the characters in the domain name may be indistinguishable from the same character in English. For example, look at this domain.

On the surface, this might look like a legitimate link to Facebook. But look what happens when I change the font from Arial to Georgia

You should see that the ‘a’ and ‘b’ look a little strange. And, indeed, if you plug this address into the punycode converter, you will see that it is different from the one for the real Facebook.

Here are a few other fake Facebook sites.

You would think that browsers would automatically block these fake sites by detecting the punycode differences from actual sites. But it’s not as easy as that. They could, in fact, mistakenly block a real site from operating. That is to say, some of these fake sites still get through. There is, for example, a site called, trezor.io, where you can buy Bitcoins. However, there is another site called, tręzor.io, which looks identical to the original site but will, apparently, scam you out of money. If you try to visit the fake site, your Edge or Firefox browser should warn you of the danger. The Opera browser will take you directly to the fake site. So having a good browser is important. The site was still up as of this writing so navigate there at your own risk.

But that’s not the only problem lying in wait for the unwary. What if you could use ASCII characters themselves to substitute for look-alike ASCII characters?  Certain fonts will make, for example, an “I” look like a “1”. (The first is the letter, I, and the second is the number 1.) Such sites would pass the punycode test since they contain no foreign characters. One researcher noticed this and challenged Twitter users as follows.

You may think the two sites are the same, but they are not. The first now leads to a blank page and the second to the actual Lloyds Bank site. Just imagine if you made the first site a replica of the Lloyds Bank login page. Hovering over the links won’t help much because Twitter links look more or less the same. Here is what appears in the lower left corner of the screen if you use the hover ploy.



Twitter will show a mouseover text showing the site destination but this doesn’t seem to help much.

Mouseover on link #1.

Mouseover on link #2.

Luckily, Moore is not a scammer. He did get a green padlock for his fake page which could have made the site look more legitimate. In fact, the only way to really differentiate the sites is to check the URL on the site’s page. The fake URL looks like this iioydsbank.co.uk while the real URL looks like this lloydsbank.co.uk.

Keep in mind that scammers don’t need to fool everyone. They just need to catch the occasional careless user. However, using spoofed URLs raises the odds in their favor. Maybe, one day, the worst will happen and scammers will figure out a way to adjust browser settings to spoof the hover over technique, but, at least for the moment, a few simple precautions should keep you safe online.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s