Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Punycode Makes SMiShing Attacks More Deceiving

    Phishing attacks carried out via text messages that use the “Punycode” technique to make nefarious URLs look legitimate are becoming more popular, cloud security firm Zscaler says.

    Referred to as SMiShing, SMS phishing is a technique where attackers use text messages in an attempt to trick users into clicking a link that usually leads to malware or asks for sensitive information from the victims.

    Recently, cybercriminals engaged in SMiShing campaigns started using Punycode (a technique also known as homograph attack) to deceive users into believing they are accessing a legitimate link. Specifically, the attackers replace one or more characters in the URL with similar-looking characters that are represented differently in Punycode.

    Attacks leveraging Punycode are not new and have been targeting Office 365 business users and Chrome and Firefox users, but only recently they started occurring more frequently in text message attacks.

    SMiShing has been on the rise since the beginning of the year, and the adoption of new techniques clearly make it an important threat.

    The use of Punycode as part of SMiShing campaigns increases the chances for successful compromise, as mobile phone users are unlikely to notice the modified URL.

    In one of the observed incidents, the unsuspecting user received a WhatsApp message pretending to be a link to a Jet Airways offer of free air tickets. Although looking like the actual jetairways.com website, the link was using a homograph attack, thus getting the user to xn-jetarways-ypb.com instead.

    If the link is accessed on an iPhone, Safari attempts to load the phishing website without displaying the correct link. Chrome on Android, however, displays the correct link (shows the URL in Punycode format) instead.

    “The Web browsers decide whether to display the IDN or Punycode format based on conditions like the presence of certain characters which can spoof the separators like "." or "/", determining whether all characters come from same language, if characters belong to allowable combinations or by checking if the domain belongs to whitelisted TLDs,” Zscaler explains.

    The domain used as part of the observed attack was newly registered, within the last two weeks, the researchers say. They also note that, after being served the phishing page, victims are redirected to another domain, newuewfarben[.]com, which can be used to serve malware.

    “SMiShing has been on a rise in year 2018 and the addition of homograph technique will continue to make it more effective against unsuspecting mobile users. Web browsers have implemented protections against homograph attacks, but because of the legitimate use of Punycode characters, it becomes very difficult for the developers to implement a foolproof fix. Attackers leverage this to work around the rules and create homographs which are displayed as IDNs despite being malicious in nature,” Zscaler concludes.

    Cross-posted with grateful acknowledgement to SecurityWeek.

    Wouldn't it be great if your users had a way to "roll back time" when they forgot to think before they click on a bad link? Now they can! 

    We are excited to announce Second Chance, a brand-new security tool for the Outlook email client that you can download and deploy at no cost.

    secondchance.jpg

    Second Chance enables your user to make a smarter security decision by giving them a way to back out of a click that could be in a phishing email. It takes an intelligent look at the clicked URL in email, and asks your user if they are sure they want to do this, in case they clicked on a potentially unsafe or an unknown website. It even prompts your user when they click on a Punycode link!

    You might ask: "What happens if my user continues or aborts their action?" If they choose to abort their action, the prompt will be closed, and the URL will not be opened. If they choose to continue, their browser will navigate to the URL they clicked on.

    Here's how it works:

    • Checks links originated in email messages, including attached Office Docs and PDFs
    • Ability to customize the message your user gets after clicking a URL
    • You can set "No Prompt" domains
    • Get reporting data on what URLs users chose to abort or continue

    There are more technical details on our support site.

    Second Chance could one day be the difference between a ransomware infection and a free weekend. Give it a try!

    Get Your Second Chance

    PS: Don't like to click on redirected buttons?

    Cut & Paste this link in your browser: https://www.knowbe4.com/second-chance

     

    Return To KnowBe4 Security Blog

    Topics: Phishing

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews