Punycodes
More like sneaky than "stealthy"
Last updated
More like sneaky than "stealthy"
Last updated
TL;DR: Using alternate yet similar-looking characters in a URL, attackers can potentially exploit not-so-well-known features of URLs to trick users. Well... if they can do it, so can we! Using similar concepts, it's easy to trick people into downloading malware and/or running arbitrary code.
Wikipedia:
Punycode is a representation of Unicode with the limited ASCII character subset used for Internet hostnames. Using Punycode, host names containing Unicode characters are transcoded to a subset of ASCII consisting of letters, digits, and hyphens, which is called the letter–digit–hyphen (LDH) subset.
"Cool! So... what exactly do we use this stuff for?" I hear you ask. Well, it's not exactly malware malware material, instead, let me explain this using an example. I'd like you to take a moment and observe the difference between the following:
URL_1: https://adidas.com/
URL_2: https://αdidas.com/Easy to spot, right? (the first a is replaced with a greek alpha: α) Now try this:
URL_1: https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip
URL_2: https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1.27.1.zipIf you can't spot it, or if the characters look a bit messed up on your device, check this malwarebytes article. This is a relatively new thing so if you want a very in depth analysis, watch this: