Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

IDNs in Phishing

Created: 12 Dec 2008 17:47:58 GMT • Updated: 23 Jan 2014 18:38:37 GMT
Mathew Maniyara's picture
0 0 Votes
Login to vote

What is an IDN? IDN stands for “internationalized domain name.” These are the domain names that contain one or more characters that do not belong to a Latin-based western language (or characters that are not available in the ASCII character set).

Domain Name System or DNS (a naming system that links domain names to IP addresses) has the technical support for these IDNs, but many applications such as Web browsers, email services, etc. are not yet able to support them. Such compatibility issues arising from IDNs necessitated a conversion from an international character to a suitable ASCII character. The conversion is achieved by the use of certain algorithms that converts these characters into a code called Punycode. A Punycode contains ASCII characters prefixed with the string “xn—.”

The following is an example for a Chinese domain converted to its Punycode:

Domain name -  例如.com


Punycode -

The Punycode can be converted back to its original form. Many online conversion tools are available to do the conversion to Punycode and back. So, the next time you see the four character string “xn—” in the domain of a website, you may be looking at an IDN in its Punycode form.

Unfortunately there is a danger involving IDNs, where the similarity of certain non-ASCII characters with western, Latin-based alphabets is being taken advantage of in phishing attacks. Typosquatters take advantage of such similarities. For example, the character “ä,” which is German, resembles the letter “a” in English. A typosquatter can create a phishing site with the string “bänk,” which resembles “bank.” Internet users can then be tricked into entering their confidential information into the phishing site for the purpose of identity theft.

In the month of October, Symantec observed 10 phishing websites that contained IDNs that were in German, Korean, and Vietnamese. One of these phishing Web sites was leveraging international characters resembling ASCII characters to spoof a western brand’s domain name.

Stay on your toes when visiting domains with names based on Punycode and/or non-ASCII characters. Take a look around and use some of the online conversion tools to check on any unfamiliar domain names, and please don't click on any unfamiliar links and be wary of any links received in emails that have come from an untrustred or unexpected source.