Lookalike Domains. PHOTO: Cybercrime Magazine.

Beware of Lookalike Domains in Punycode Phishing Attacks

Instagram, Microsoft, and Apple targeted

Jonathan Zhang, CEO at Whois XML API

Walnut, Calif. – Jun. 10, 2020

Internationalized domain names (IDNs) have been around for about a decade now. Their use started so that characters from the Universal Character Set or Unicode could figure in domain names. The intention was to make it easier for people to remember domain names in local contexts.

For example, a daycare center in Grünberg, Germany, could name its website brightmindkindertagesstätte[.]de. The technology of the Domain Name System, however, supports only domain names with the American Standard Code for Information Interchange (ASCII) code — that is, English letters, numbers, and a few types of characters. Hence, a standard mapping from the universal Unicode to this set, the “Punycode” has been defined.

Our example, brightmindkindertagesstätte[.]de, for instance, translates to xn--brightmindkindertagessttte-2hc[.]de. As a result, local users would easily remember to type “brightmindkindertagesstätte” in this form in their browser, while the Punycode version will be used technically in the background.

Several domain registrars support Punycode registration, and the Internet Corporation for Assigned Names and Numbers (ICANN) even approved the use of IDN top-level domains (TLDs). What was not intended, however, is that IDNs could be used convincingly in typosquatting attacks. Some national characters are visually very close or identical to some English ones. Replacing, for example, an English small “o” with a greek “omikron” in a domain name, is perfect for typosquatting. When viewed, say, in a link found in a phishing email or in the address line of a web browser, a victim would hardly detect the trick.

5 Punycode Lookalike Domains Detected

We recently detected 43 domains that use non-Latin characters but look a lot like their Latin counterparts in our Newly-Registered & Just-Expired Domains database.

1. Instagram Lookalike Domains

At first glance, the domains below are the same as instagram[.]com, with only one using the .xyz generic TLD (gTLD). But if you look closely, you will see non-Latin characters in some of the domains in the mix. We included their respective IDN versions obtained using Punycode for comparison.

  • iņstagram[.]com (xn--istagram-7pb[.]com)
  • ḭnstagram[.]com (xn--nstagram-s29c[.]com)
  • instaġram[.]com (xn--instaram-tgb[.]com)
  • instagraṃ[.]com (xn--instagra-o89c[.]com)
  • instaɡram[.]com (xn--instaram-3sd[.]com)
  • instaġram[.]com (xn--instaram-tgb[.]com)
  • instagŗam[.]com (xn--instagam-qub[.]com)
  • ínstagram[.]com (xn--nstagram-b2a[.]com)
  • instagrəm[.]com (xn--instagrm-3qd[.]com)
  • instagràm[.]com (xn--instagrm-5ya[.]com)
  • īnstagram[.]com (xn--nstagram-8ib[.]com)
  • instagraʍ[.]com (xn--instagra-i4d[.]com)
  • instagrąm[.]com (xn--instagrm-o8a[.]com)
  • ịnstagram[.]com (xn--nstagram-f80d[.]com)
  • ınstagram[.]xyz (xn--nstagram-skb[.]xyz)
  • instągram[.]com (xn--instgram-l8a[.]com)

2. Microsoft Lookalike Domains

We saw the same trend for Microsoft. Below are the unicode domains and their corresponding IDN versions.

  • microsôft[.]com (xn--microsft-93a[.]com)
  • ṃicrosoft[.]com (xn--icrosoft-g89c[.]com)
  • microsofṭ[.]com (xn--microsof-hk0d[.]com)
  • ʍicrosoft[.]com (xn--icrosoft-93d[.]com)
  • micrọsoft[.]com (xn--micrsoft-180d[.]com)
  • microsofţ[.]com (xn--microsof-vxb[.]com)
  • mıcrosoft[.]net (xn--mcrosoft-tkb[.]net)
  • microsofț[.]com (xn--microsof-69c[.]com)
  • microsöft[.]com (xn--microsft-s4a[.]com)
  • mĩcrosoft[.]com (xn--mcrosoft-rib[.]com)
  • microsȯft[.]com (xn--microsft-9fd[.]com)
  • microsofŧ[.]com (xn--microsof-wyb[.]com)

3. Office365 Lookalike Domains

Three Punycode domains that mimic that of Office365 were also seen.

  • ọffice365[.]com (xn--ffice365-x80d[.]com)
  • offĭce365[.]com (xn--offce365-ujb[.]com)
  • offìce365[.]com (xn--offce365-41a[.]com)

4. Apple Lookalike Domains

We detected a domain that looks like that of Apple, with a subtle use of the Slavic letter “ł” instead of the lowercase “L.”

  • appłeid[.]com (xn--appeid-5db[.]com ap)

5. Lloyds Bank Lookalike Domains

In Lloyds Bank’s case, the domain makes use of the lowercase “a” with a macron. So instead of the official and legitimate domain lloydsbank[.]com, customers can end up on lloydsbānk[.]com. When translated to IDN, this becomes xn--lloydsbnk-ccb[.]com.

Domain Intelligence Can Help Prevent Punycode Phishing

Just like with other types of typosquatting domains, people are likely to fall for the ruse because some IDNs are hard to distinguish from their legitimate counterparts. That’s unless, of course, Instagram, Microsoft, and Lloyds Bank registered these lookalike domains as part of their typosquatting protection strategy.

Still, domain intelligence can help distinguish what is legitimate and what is not. For instance, we ran microsofṭ[.]com on WHOIS Lookup. Notice that microsofṭ[.]com looks very similar to the official microsoft[.]com until you examine the letter “t” carefully (the former has a dot below the letter). We found that the registrant is someone from the Bahamas. The domain in question was also registered less than a year ago, which is suspicious for a company like Microsoft that has been around for decades.

Meanwhile, the WHOIS record of the official Microsoft website reveals that Microsoft Corporation owns it for close to 30 years now. The record also indicates Microsoft’s office address in Redmond, Washington.

Reverse DNS and WHOIS Can Help Study Punycode Lookalike Domains and Their Footprints

One way to see possible Punycode domain associations is to conduct reverse DNS and WHOIS queries. Starting with a DNS lookup, we retrieved one of the nameservers of microsofṭ[.]com (ns-canada[.]topdns[.]com). It also uses the mail server smtp03[.]topdns[.]com.

Using Reverse NS API and Reverse MX API, we can establish that the person or organization behind the Punycode domain uses shared services as thousands of associated domain names were found and did not bear any particular resemblance between them. That calls for attention as an organization the size of Microsoft certainly does not need to share its infrastructure with unrelated domain owners.

We then used the advanced search features of Reverse WHOIS to reveal all domains where the following details of microsofṭ[.]com appear:

  • Nameserver: ns-canada[.]topdns[.]com
  • WHOIS server: whois[.]internet[.]bs
  • Domain name: Contains “xn--” since Punycode domains are prepended with these four characters

The tool returned 190 domains that currently satisfy the criteria that include:

  • outlooĸ[.]com (xn--outloo-8bb[.]com)
  • myetheŕwɑllet[.]com (xn--myethewllet-hdc193a[.]com)
  • assurance-dépendance[.]net (xn--assurance-dpendance-lzb[.]net)
  • assurance-dépendance[.]com (xn--assurance-dpendance-lzb[.]com)
  • coronavïrus[.]com (xn--coronavrus-d9a[.]com)

Some of these domains like outlooĸ[.]com and coronavïrus[.]com sound suspicious and should probably be further investigated by cybersecurity professionals as they could easily figure in Punycode phishing attacks.

Uninitiated users could easily fall victim to Punycode lookalike domains, especially since not all browsers can detect typosquatting domains of their kind.

As such, one recommendation is for browsers to adopt more stringent threat detection protocols. Another recommendation is for domain registrars to carefully screen domain registrations, especially those that use non-Latin characters.

While companies that are being imitated do not have control over the two recommendations, they do have complete reign on this third recommendation. They can monitor Punycode NRDs using the Newly Registered & Just Expired Domains Database and Brand Alert products and conduct deeper investigations with reverse DNS and WHOIS search tools to uncover connected footprints.

Whois XML API Archives

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API Inc. family, a trusted intelligence vendor by over 50,000 clients.

Sponsored by Whois XML API

Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.