Punycode Cyberattack Highlights Need for Aggressive Fight Against Malware
Last month’s Punycode phishing attack demonstrates the ongoing craftiness of cybercriminals and reinforces the need for tenacious countermeasures to detect and defeat advanced malware.
In the last few weeks, we’ve observed a new and very clever cybersecurity attack. A new variation of an internationalized domain name (IDN) attack has surfaced, that is capable of deceiving even hardened security experts.
The attack leverages a phishing scheme that tricks people into clicking on URLs that appear to belong to an authentic site, but in reality, take the user to a phony and malicious one. The technique uses characters from other languages, that when rendered by most browsers, have the same shape as some English characters.
The attack is possible because the domain registration system allows individuals to create and register domains using foreign characters. For example, some domains include, or consist entirely of Chinese, Acrylic, or other non-Latin characters. When English-based browsers encounter these non-Latin domains, they use an encoder called Punycode to render and display each character. In some cases, the resulting characters are indistinguishable from English characters.
Cybercriminals leverage this feature of Punycode, using foreign characters to create unique domains that when rendered, look like well-known English URLs. Xudong Zheng, who initially discovered the attack, presented an example where a domain name using Cyrillic characters was displayed by the browser as “www.apple.com”.
In this attack, the domains look authentic. There is nothing in the link itself, or in the address displayed by a browser that would suggest the site is malicious. Not even to a savvy security expert. If the link is clicked or the site visited, the victim’s device is infected with malware.
This sophisticated attack is a poignant example of how perimeter defenses are frequently defeated and malware installed. All organizations are at risk unless they have effective and up-to-date tools that detect and protect themselves from advanced assaults.
Fortunately, browser updates are starting to appear that will detect and defeat this specific attack. Some browsers already have a fix available.
Although this particular attack may not directly impact a large number of individuals or organizations, it does serve as two important reminders. First, that there’s a lot of very intelligent people who are quite capable of creating new phishing and malware attacks that will successfully penetrate our systems, and that will never change. Second, organizations must aggressively and continuously upgrade their defenses to thwart the advanced attacks that will surely come. That won’t change either.