Tool to Detect Active Phishing Attacks Using Unicode Look-Alike Domains

Published: 2017-04-16
Last Updated: 2017-04-17 17:00:12 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

[This is a guest diary contributed by Remco Verhoef. If you would like to contribute a guest post, please let us know via our contact page]

Currently there is a campaign going on where phishing attacks will use domains that look exactly like safe domains by using Punycode domains. (

This is called a homograph attack. The Punycode domains will start with xn-- prefix and browsers will show the decoded Unicode domain name in the address bar where the Unicode characters  (homographs) used appears like the original characters.

I wrote a program to look for similar characters within a font, comparing exact matches of glyphs. Outputting the table below. It shows the (ASCII) character with the homograph(s). Each font could have different homographs. For Phishing campaigns not only homograph domains could be used, but also the glyphs with small changes. Besides the program to built the table, I’ve created a program that will verify domains to see if they will have a (visually) exact match with a safe domain. Both programs are currently not open source, but will upon request.


When using for example URL (courtesy of Xudong Zheng), you’ll see (in Firefox and Chrome) in your address bar

It is possible to request SSL certificates (using e.g., Let’s Encrypt) with Punycode domain names, making this attack even more dangerous. The address bar will appear secure and contain the safe domain name. Impossible to recognize the difference.

We’ve found the following safe domain alternatives. These are probably tip of the iceberg. These domains are exact counterparts of the safe domains. Some companies register a lot of the homograph domains themselves. Google for example, but it seems they forgot a few.

Punycode domain

Unicode domain

Safe domain

Registrar safe domain

Registrar homograph domain

CI Investments Inc.

Privacy Protection


Proxy Protection LLC



Instagram, LLC


Gatehouse Media, LLC

Shield Digital Security Group

Whatsapp Inc.

Rafael Fernández López (private)


Anna Potepa (private)


Contact Privacy Inc. Customer 1241053230

This is the domain of Xudong Zheng.

CI Investments Inc.

Privacy Protection

Firefox, Chrome, and Opera browsers are vulnerable to the homograph attack, whereas the latest Chrome will contain a fix for this issue. Within Firefox the support for Punycode can be disabled by navigating to about:config and disabling “network.IDN_show_punycode”.



Keywords: idn phishing unicode
9 comment(s)
Diary Archives