What is Punycode and how to protect yourself from Homograph Phishing attacks?

UPDATE 25.11.2019

Punycoder - Punycode converter or an IDN converter, a tool for Punycode to Text/Unicode and vice-versa conversion.

Punycode - is a system for converting words that can?t be written in ASCII (American Standard Code for Information Interchange), such as Ancient Greek. The phrase ΓNΩΘIΣEAYTON (?know yourself?), once converted into ASCII characters, looks like this: xn--mxadglfwep7amk6b. This conversion system allows International Domain Names (IDNs), which include non-ASCII characters, to be displayed using only the Roman letters A to Z, the digits 0 to 9 and the hyphen (-) character. Punycode is useful, because the world-wide Domain Name System (DNS), which turns readable server names into computer-friendly network numbers, can only recognize the limited subset of ASCII characters in domain names. Some of the letters in the Roman alphabet are the same shape as letters in the Greek, Cyrillic and other alphabets. Examples are the letters I, E, A, Y, T, O, and N.

A malicious site can imitate a legitimate URL and display it which leaves us with very few ways to tell if we are being tricked by an imposter. Attackers who trick people into loading the fake page could more easily obtain personal information because the site appears to be trustworthy. Many years ago, the Internet Corporation for Assigned Names and Numbers (ICANN) allowed non-ASCII (Unicode) characters to be included in web domains. It didn't take long for them to realize that this decision was going to cause problems. Certain characters from different languages can be confused for Unicode since they look the same when displayed in a browser. This could be used as a tool by cybercriminals to spoof URLs and target unsuspecting victims.

To counteract the issue, ICANN developed Punycode as a way of specifying actual domain registrations by representing Unicode within the limited character subset of ASCII used for internet hostnames. The idea was that browsers would first read the Punycode URL and then transform it into displayable Unicode characters inside the browser. However, just like with Unicode, Punycode could also hide phishing attempts using characters found in different languages. To combat this, Web browser vendors introduced add-on filters to render URLs as Punycode, instead of Unicode, if they contained characters from different languages.

Punycode Problems

By default, many web browsers use Punycode encoding to represent Unicode characters in the URL to defend against Homograph phishing attacks (where the website address looks legitimate, but is not, because a character or characters have been replaced deceptively with Unicode characters). For example, the Chinese domain "短.co" is represented in Punycode as
"xn--s7y.co" and the German city of "München" becomes in the Punycode "xn--mnchen-3ya" because the letter ü is not available in English. There are quite a few Unicode characters represented in alphabets such as Greek, Cyrillic, and Armenian, which look almost identical to Latin letters at a glance but are treated very differently by computers when resolving the different web addresses.

Homograph attacks - are extremely difficult to detect based on their deployment method. Some of these steps will also protect you from other types of online attacks as well.

Here is a best example of Punycode Phishing (Homograph) attack:

Quote from: wwzsocki on August 23, 2019, 04:55:18 PM

Quote from: Tytanowy Janusz on August 23, 2019, 10:08:53 AM

The most tricky phising website i've heard was this one. Looks like Binance.com but there are no "n". This is strange n with dot at the bottom.

source
How to deal with such a phishing address? Those dots are almost unnoticeable.

Here another great example of Punycode Homograph Phishing attack. This time Poloniex exchange is targeted. Just look at how similar it looks compared to the original page.

The only difference between the original page and this malicious one is that the hacker misspelled the phrase "Sign in" as "Sing in" a couple of times.

What is different in this attack is that the SSL certificate is shown as valid:

Not all browsers are vulnerable

Of all the browsers Bleeping Computer tested, three rendered the page using Unicode characters, as appӏe.com. These are Chrome, Firefox, and Opera (including the new Opera Neon variant).

Other browsers, such as Edge, Internet Explorer, Safari, Vivaldi, and Brave, did not render the page using Unicode characters and displayed the Punycode URL. The reasons are unknown, but we suspect there's a filter that checks if the Punycode URL is in the same character set as the user's default OS settings.

Google has already fixed this issue in Chrome Canary 59, and a permanent fix will land in Chrome Stable 58.

Preventing Homograph Phishing Attacks in Firefox

Firefox users can complete the following steps to manually apply temporary protection against Punycode Phishing (Homograph) attacks:

Open a new tab in Firefox
Type about:config in address bar and press Enter.
Click the I accept the risk! button.
Type Punycode in the search bar.
A Preference Name titled: IDN_show_punycode will be displayed Right-Click and select Toggle to change the Value field from False to True.
Close the about:config tab.

Set Firefox to display Punycode names. See steps above for changing the about: config settings in Firefox.
Click on the padlock to display the HTTPS certificate. This will show the domain name that the certificate was issued in ASCII-only format. If the name starts with xn it is a Punycode domain, no matter what it looks like in the address bar
Check the legitimacy of URLs by copying them out of the web browser and pasting them into a text editor. A spoofed URL only appears legitimate, but it actually uses an address beginning with www.xn-- which will be revealed for what it actually is once taken outside the browser?s address bar.
Use a Password Manager. The software will automatically enter in your login credentials for the actual domains they are linked to,
Always manually type website URLs in the address bar for important sites like Gmail or banking websites, instead of clicking any link from a website or email.

Screenshot of a suspected Facebook phishing website, another Punycode Homograph Phishing attack.

This time os much easier to see that something is wrong with these Facebook pages, even for an untrained eye, because both of the SSL certificates are bad and displayed in red.

I hope that all these examples will help to identify Punycode phishing attacks. One has to check everything three times to be safe online today there are no shortcuts. This is very scary and I already have been on such malicious websites and only thanks to my password managers, other tools I use and of course experience I was able to identify them soon enough but to be honest, nobody is safe and I see hackers getting better and more greedy every day. Only look at the list I gathered, with already known Punycode websites and for sure this is only a small percentage of what exists already. We have to imagine that every day hundreds of new phishing websites are created and we have to do all we can to protect ourselves.

Quote from: Henri Cartier on September 13, 2019, 08:09:10 AM

...Check the 7 Ways to avoid a Punycode attack

Be cautious if the site presses you to do something quickly. This is a classic strategy by hackers to rush their potential victims so that they are less likely to notice anything suspicious. Often they will offer a limited time only deal, and make it difficult to exit the page with are you sure you want to exit pop-ups: these are all tactics to make you stay on their site longer and give them your details.
If you are being offered a deal, go to the original company site and check if its available there as well, if not its most likely a scam doing its best to mimic the established brand and trick visitors into handing over their details.
If some of the letters in the address bar look weird, or the website design looks different, rewrite it or visit the original company URL in a new tab to compare. The letters in the address bar looking strange are a key indicator that Punycode is being used to trick you into thinking you are visiting a well-established brand site when in fact you are being taken to a malicious site.
Use a password manager; this reduces the risk of pasting passwords into dodgy sites.
Force your browser to display Punycode names, this option is available in Firefox.
Click on the padlock to view and inspect the HTTPS certificate.
Use a mobile security solution and artificial intelligence to monitor all data traffic and to detect and block phishing links.

I found that there are a couple of addons for Google chrome and other browsers that are vulnerable to the Punycode and Homograph Phishing attacks.

PhishProtect Beta: Free open-source tool to protect against homograph attacks and zero-day phishing powered by AI and Computer Vision. The tool redirects the browser to a warning page when IDN/Unicode URL or zero-day phishing website is detected and the full Punycode (ASCII) representation is displayed.
https://chrome.google.com/webstore/detail/phishprotect-beta/mikecfgnmakjomepfcghpbhfamjbjhid

Punycode alert: extension that alerts you when a Unicode URL has been opened preventing phishing attacks.
URLs can be registered in Unicode and some scams can be made with URLs looking like official websites. This extension alerts you when the URL is of this kind.
https://chrome.google.com/webstore/detail/punycode-alert/odbbcdajedbapmgpgfacfigdpbdahenh

These two are not known so much but have a couple of thousands of users but is hard to tell something more about them and to find more info or reviews online.

The last addon I found is Punycode Domain Detection and is the most known from these three. I found a couple of articles about it. Developed by Phish.ai and released a Google Chrome extension that can detect when users are accessing domains spelled using non-standard Unicode characters and warn the users about the potential of a homograph attack.

Here link: https://chrome.google.com/webstore/detail/punycode-domain-detection/fkenopinnpinfcjneoanjoimhkmdcjne

If you wish to read more here is the article I used as a source for information: https://www.bleepingcomputer.com/news/security/chrome-extension-detects-url-homograph-unicode-attacks/

Punycoder - Punycode converter or an IDN converter, a tool for Punycode to Text/Unicode and vice-versa conversion.

I have just found a great service called Gluee with multiple tools for webmasters and developers.

https://www.gluee.com/tools/

As you can see the first one called Punycoder is a tool that converts text with special characters (UNICODE) to the Punycode encoding (just ASCII) and vice versa.

This is a great tool to check all suspicious Phishing Punycode URLs. Just copy and paste the needed link.

https://www.punycoder.com/

DON'T USE ANY OF THESE LINKS - MALICIOUS WEBSITES!!!

List of already known Punycode Phishing URLs:

ns1.xn--aobe-l6b.com. --> ns1.aɗobe.com.
ns2.xn--aobe-l6b.com. --> ns2.aɗobe.com.
mail.xn--adoe-x34a.com. --> mail.adoḅe.com.
xn--adob-yva.com. --> adobė.com.
xn--adoe-x34a.com. --> adoḅe.com.
xn--aobe-qua.com. --> aďobe.com.
xn--dobe-p5b.com. --> ɑdobe.com.

APPLE

mail.xn--pple-zna.com. --> mail.?pple.com.
ns1.xn--appl-ou5a.com. --> ns1.applẹ.com.
ns2.xn--appl-ou5a.com. --> ns2.applẹ.com.
www.xn--le-m1aa24e.com. --> www.ɑƿƿle.com.
www.xn--pple-9na.cf. --> www.âpple.cf.
www.xn--ppl-hla7b.cf. --> www.âppl?.cf.
xn--ppl-hla7b.cf. --> âppl?.cf.
www.xn--app-mra30o.com. --> www.appɩė.com.
xn--aple-csa.com. --> ap?le.com.
xn--appl-8va.com. --> applę.com.
xn--appl-yva.com. --> applė.com.
www.xn--le-m1aa24e.com. --> www.ɑƿƿle.com.

AMAZON

www.xn--amazo-7l1b.com. --> www.amazoṇ.com.
www.xn--amazo-vl1b.com. --> www.amazoṅ.com.
www.xn--amzon-ucc.com. --> www.amȧzon.com.
www.xn--mazon-2qa.de. --> www.âmazon.de.
www.xn--mazon-2qa.eu. --> www.âmazon.eu.
www.xn--mazon-wqa.com. --> www.ámazon.com.
www.xn--mzn-plab3i.com. --> www.ämäzön.com.
xn--amaon-6y1b.com. --> amaẓon.com.
xn--amaon-7hb.com. --> amaźon.com.
xn--amazo-sta.com. --> amazo?.com.
xn--amazo-vl1b.com. --> amazoṅ.com.
xn--amzon-sqa.com. --> am?zon.com.
xn--amzon-ucc.com. --> amȧzon.com.

BANK OF AMERICA

www.xn--bakofamerica-qfc.com. --> www.baŋkofamerica.com.
mail.xn--bnkofmeric-q5aef.com. --> mail.bänkofämericä.com.
secure.xn--bakofamerica-qfc.com. --> secure.baŋkofamerica.com.
www.xn--ankofamerica-70c.com. --> www.ƅankofamerica.com.
www.xn--bakofamerica-qfc.com. --> www.baŋkofamerica.com.
www.xn--banofamerica-p7b.com. --> www.banĸofamerica.com.
www.xn--bnkofamerica-pob.com. --> www.bąnkofamerica.com.
www.xn--bnkofmeric-ggeef.com. --> www.bɑnkofɑmericɑ.com.
www.xn--bnkofmeric-q5aef.com. --> www.bänkofämericä.com.
xn--ankofamerica-70c.com. --> ƅankofamerica.com.
xn--bakofamerica-qfc.com. --> baŋkofamerica.com.
xn--banofamerica-p7b.com. --> banĸofamerica.com.
xn--bnkofamerica-pob.com. --> bąnkofamerica.com.
xn--bnkofmeric-ggeef.com. --> bɑnkofɑmericɑ.com.
xn--bnkofmeric-q5aef.com. --> bänkofämericä.com.

BITTREX

xn--bitrex-rkb.com. --> bitţrex.com.
xn--bittex-zx7b.com. --> bittṛex.com.
xn--bittrx-7ua.com. --> bittr?x.com.
www.xn--bitrex-rkb.com. --> www.bitţrex.com.
www.xn--bittrx-7ua.com. --> www.bittr?x.com.
xn--ittrex-hrb.com. --> ƅittrex.com.
www.xn--ittrex-hrb.com. --> www.ƅittrex.com.
xn--bttx-vpa4unq.com --> bíttŕēx.com
CISCO

xn--csco-lza.com. --> cısco.com.
xn--csco-qpa.com. --> c?sco.com.
xn--csco-vpa.com. --> císco.com.
xn--n1afa3fe.net. --> cisco.net.

COINBASE

xn--cinbase-10a.com. --> c?inbase.com.
xn--cinbase-90a.com. --> cöinbase.com.
xn--cinbase-d0a.com. --> c?inbase.com.
xn--cinbase-t0a.com. --> côinbase.com.
xn--coibase-6za.com. --> coi?base.com.
xn--coibase-r13c.com. --> coiṇbase.com.
xn--coinbae-fqb.com. --> coinbaşe.com.
xn--coinbas-8xa.com. --> coinbas?.com.
xn--coinbas-pya.com. --> coinbas?.com.
xn--coinbas-z8a.com. --> coinbasė.com.
xn--coinbse-9wa.com. --> coinbäse.com.
xn--coinbse-lwa.com. --> coinbáse.com.
xn--conbase-0ya.com. --> co?nbase.com.
xn--conbase-feb.com. --> coīnbase.com.
xn--conbase-hza.com. --> coînbase.com.
xn--conbase-pza.com. --> co?nbase.com.
xn--conbase-sfb.com. --> coınbase.com.
xn--oinbase-l5a.com. --> ĉoinbase.com.
xn--oinbase-txa.com. --> çoinbase.com.

CREDIT SUISSE

xn--crditsuisse-cbb.at. --> créditsuisse.at.
xn--crditsuisse-cbb.ch. --> créditsuisse.ch.
xn--crditsuisse-cbb.com. --> créditsuisse.com.
xn--crditsuisse-cbb.de. --> créditsuisse.de.
xn--crditsuisse-cbb.dk. --> créditsuisse.dk.
xn--crditsuisse-cbb.eu. --> créditsuisse.eu.
xn--crditsuisse-cbb.net. --> créditsuisse.net.
xn--crdit-suisse-ceb.at. --> crédit-suisse.at.
xn--crdit-suisse-ceb.ch. --> crédit-suisse.ch.
xn--crdit-suisse-ceb.com. --> crédit-suisse.com.
xn--crdit-suisse-ceb.de. --> crédit-suisse.de.
xn--crdit-suisse-ceb.dk. --> crédit-suisse.dk.
xn--crdit-suisse-ceb.net. --> crédit-suisse.net.
xn--credit-sisse-klb.com. --> credit-süisse.com.

EBAY

xn--bay-ema.com. --> ?bay.com.
xn--eby-fla.com. --> ebáy.com.
xn--eby-bla.com. --> eb?y.com.
xn--eby-hsb.com. --> ebɑy.com.
xn--eby-jla.com. --> ebây.com.
xn--80aj7b8a.com. --> eьay.com.

FACEBOOK

www.xn--acebook-js3c.com. --> www.ḟacebook.com.
www.xn--acebook-w1b.net. --> www.?acebook.net.
www.xn--aceook-dg7b2i.com. --> www.ḟaceḃook.com.
xn--acebook-js3c.com. --> ḟacebook.com.
xn--aceook-dg7b2i.com. --> ḟaceḃook.com.
xn--faboo-5xa8ftm.eu. --> faċėbooķ.eu.
xn--fabook-qva9w.eu. --> faċëbook.eu.
xn--facboo-k4a3x.eu. --> facėbooķ.eu.
xn--facbook-4xa.com. --> fac?book.com.
xn--facbook-lya.fr. --> fac?book.fr.
xn--facbook-v8a.eu. --> facėbook.eu.
xn--facebok-50a.fr. --> faceb?ok.fr.
xn--facebok-60a.tk. --> facebo?k.tk.
xn--facebok-h0a.eu. --> faceb?ok.eu.
xn--facebok-x0a.fr. --> facebôok.fr.
xn--faceboo-jhb.com. --> facebooĸ.com.
xn--faceboo-jhb.net. --> facebooĸ.net.
xn--faceook-pm3c.com. --> faceḅook.com.
xn--faebok-xua7j.fr. --> façeboök.fr.
xn--faebook-35a.com. --> faċebook.com.
xn--fcbook-w0a9l.eu. --> fącėbook.eu.
xn--fcebook-8va.com. --> f?cebook.com.
xn--fceboo-w0a91b.eu. --> fącebooķ.eu.
www.xn--fabook-41a0h.eu. --> www.faċėbook.eu.
www.xn--fabook-xua89a.eu. --> www.façėbook.eu.
www.xn--facebok-60a.tk. --> www.facebo?k.tk.
www.xn--facebok-e1a.com. --> www.faceböok.com.
www.xn--facebok-h0a.fr. --> www.faceb?ok.fr.
www.xn--facebok-i0a.eu. --> www.facebo?k.eu.
www.xn--faceok-sg7bq0e.com. --> www.faceḅọok.com.
www.xn--faceook-1yb.com. --> www.faceƅook.com.
www.xn--faebook-35a.com. --> www.faċebook.com.
www.xn--faebook-64a.eu. --> www.faćebook.eu.
www.xn--fcebook-s3a.tk. --> www.fācebook.tk.
m.xn--80akppap2f62a.com. --> m.ғaceьooк.com.
xn--80akppap2f62a.com. --> ғaceьooк.com.

GOOGLE

www.xn--oole-9pb06e.com. --> www.ǥooɡle.com.
ww25.xn--gogle-uob.com. --> ww25.gơogle.com.
xn--ggle-lqaa.com. --> g??gle.com.
xn--gogl-1nd42e.com. --> google.com.
xn--gogle-7ta.com. --> goôgle.com.
xn--gogle-jua.com. --> göogle.com.
xn--gogle-kua.com. --> goögle.com.
xn--gogle-uta.com. --> g?ogle.com.
xn--gogle-vob.com. --> goơgle.com.
xn--googl-n0a.com. --> googlę.com.
xn--oogl-epa71n.com. --> ǵooglé.com.
xn--oogle-v1a.xyz. --> ġoogle.xyz.
xn--oole-9pb06e.com. --> ǥooɡle.com.
www.xn--ggl-8la1ca.com. --> www.g??gl?.com.
www.xn--ggle-lqaa.com. --> www.g??gle.com.
www.xn--gogle-uta.com. --> www.g?ogle.com.
www.xn--googl-n0a.com. --> www.googlę.com.

KRAKEN

xn--80afhrc5a.com. --> кгaкeп.com.
xn--krken-nra.com. --> kr?ken.com.
xn--raken-gnb.com. --> ƙraken.com.
xn--raken-n5a.com. --> ķraken.com.

MICROSOFT

ww8.xn--mcrosoft-tkb.com. --> ww8.mıcrosoft.com.
www.xn--mcrosoft-c2a.es. --> www.mícrosoft.es.
windows.xn--mcrosoft-c2a.com. --> windows.mícrosoft.com.
ww8.xn--mcrosoft-tkb.com. --> ww8.mıcrosoft.com.
www.xn--icrosoft-g89c.com. --> www.ṃicrosoft.com.
www.xn--mcosoft-rfb211a.com. --> www.mıcɾosoft.com.
www.xn--mcrosof-7ya00i.com. --> www.mícrosofť.com.
www.xn--mcrosoft-21a.ch. --> www.m?crosoft.ch.
www.xn--mcrosoft-21a.com. --> www.m?crosoft.com.
www.xn--mcrosoft-21a.eu. --> www.m?crosoft.eu.
www.xn--mcrosoft-21a.fr. --> www.m?crosoft.fr.
www.xn--mcrosoft-9ib.com. --> www.mīcrosoft.com.
www.xn--mcrosoft-c2a.com. --> www.mícrosoft.com.
www.xn--mcrosoft-c2a.de. --> www.mícrosoft.de.
www.xn--mcrosoft-c2a.es. --> www.mícrosoft.es.
www.xn--mcrosoft-c2a.eu. --> www.mícrosoft.eu.
www.xn--mcrosoft-g80d.com. --> www.mịcrosoft.com.
www.xn--mcrosoft-l2a.com. --> www.mîcrosoft.com.
www.xn--mcrosoft-tkb.com. --> www.mıcrosoft.com.
www.xn--mcrosoft-tkb.de. --> www.mıcrosoft.de.
www.xn--mcrosoft-u2a.com. --> www.m?crosoft.com.
www.xn--microsft-03a.com. --> www.microsóft.com.
www.xn--microsft-9fd.com. --> www.microsȯft.com.
www.xn--microsot-ez9c.com. --> www.microsoḟt.com.
www.xn--microsot-x9b.com. --> www.microso?t.com.
www.xn--micrsoft-y3a.com. --> www.micrósoft.com.
xn--icrosoft-g89c.com. --> ṃicrosoft.com.
xn--mcosoft-rfb211a.com. --> mıcɾosoft.com.
xn--mcrosof-7ya00i.com. --> mícrosofť.com.
xn--mcrosoft-21a.ch. --> m?crosoft.ch.
xn--mcrosoft-21a.com. --> m?crosoft.com.
xn--mcrosoft-21a.eu. --> m?crosoft.eu.
xn--mcrosoft-21a.fr. --> m?crosoft.fr.
xn--mcrosoft-9ib.com. --> mīcrosoft.com.
xn--mcrosoft-c2a.com. --> mícrosoft.com.
xn--mcrosoft-c2a.de. --> mícrosoft.de.
xn--mcrosoft-c2a.es. --> mícrosoft.es.
xn--mcrosoft-g80d.com. --> mịcrosoft.com.
xn--mcrosoft-l2a.com. --> mîcrosoft.com.
xn--mcrosoft-tkb.com. --> mıcrosoft.com.
xn--mcrosoft-tkb.de. --> mıcrosoft.de.
xn--mcrosoft-u2a.com. --> m?crosoft.com.
xn--micosoft-i0d.com. --> micɾosoft.com.
xn--microoft-l9c.com. --> microșoft.com.
xn--microsft-03a.com. --> microsóft.com.
xn--microsft-9fd.com. --> microsȯft.com.
xn--microsof-eyb.com. --> microsofť.com.
xn--microsof-hk0d.com. --> microsofṭ.com.
xn--microsot-ez9c.com. --> microsoḟt.com.
xn--microsot-x9b.com. --> microso?t.com.
xn--micrsoft-y3a.com. --> micrósoft.com.

NETFLIX

xn--etflix-vwa.com. --> ?etflix.com.
www.xn--netflx-0va.com. --> www.netfl?x.com.
ns1.xn--ntflix-iva.com. --> ns1.n?tflix.com.
ns2.xn--ntflix-iva.com. --> ns2.n?tflix.com.
ww1.xn--etflix-vwa.com. --> ww1.?etflix.com.
ww35.xn--etflix-vwa.com. --> ww35.?etflix.com.
ww8.xn--etflix-vwa.com. --> ww8.?etflix.com.
www.xn--etflix-vwa.com. --> www.?etflix.com.
www.xn--netflx-0va.com. --> www.netfl?x.com.
www.xn--netflx-7va.com. --> www.netflíx.com.
www.xn--netflx-7va.eu. --> www.netflíx.eu.
www.xn--netflx-f9a.com. --> www.netflįx.com.
www.xn--netflx-mwa.com. --> www.netfl?x.com.
www.xn--netflx-t9a.com. --> www.netflıx.com.
www.xn--netlix-5tb.com. --> www.net?lix.com.
www.xn--ntflix-bva.com. --> www.nétflix.com.
www.xn--ntflix-i4a.com. --> www.nėtflix.com.
www.xn--ntflix-iva.com. --> www.n?tflix.com.
xn--etflix-vwa.com. --> ?etflix.com.
xn--netflx-0va.com. --> netfl?x.com.
xn--netflx-7va.com. --> netflíx.com.
xn--netflx-7va.eu. --> netflíx.eu.
xn--netflx-f9a.com. --> netflįx.com.
xn--netflx-mwa.com. --> netfl?x.com.
xn--netflx-t9a.com. --> netflıx.com.
xn--netlix-5tb.com. --> net?lix.com.
xn--ntflix-bva.com. --> nétflix.com.
xn--ntflix-i4a.com. --> nėtflix.com.
xn--ntflix-iva.com. --> n?tflix.com.

NEW YORK TIMES

xn--nytmes-5va.com. --> nytímes.com.
xn--nytmes-dwa.com. --> nytîmes.com.
xn--nytmes-yk8b.com. --> nytỉmes.com.
xn--nytmes-yva.com. --> nyt?mes.com.
xn--ytimes-vwa.com. --> ?ytimes.com.
POLONIEX

xn--polonex-3ya.com. --> polon?ex.com.
xn--oloiex-yt7b2e.com. --> ṗoloṇiex.com.
xn--oloniex-c53c.com. --> ṗoloniex.com.
xn--plonex-6va6c.com. --> pôloníex.com.
xn--ploniex-l0a.com. --> póloniex.com.
xn--polniex-ex4c.com. --> polọniex.com.
xn--polniex-n0a.com. --> polóniex.com.
xn--poloiex-s13c.com. --> poloṇiex.com.
xn--polonex-cza.com. --> poloníex.com.
xn--polonex-ffb.com. --> polonįex.com.
xn--polonex-ieb.com. --> polonīex.com.
xn--polonex-kza.com. --> polonîex.com.
xn--polonex-sza.com. --> polon?ex.com.
xn--polonex-vfb.com. --> polonıex.com.
xn--polonex-zw4c.com. --> polonịex.com.
xn--polonix-ws4c.com. --> poloniẹx.com.
xn--polonix-y8a.com. --> poloniėx.com.
xn--pooniex-ojb.com. --> połoniex.com.

TWITTER

www.xn--twittr-7ua.tv. --> www.twitt?r.tv.
www.xn--twittr-mva.tv. --> www.twitt?r.tv.
www.xn--twittr-tva.net. --> www.twittër.net.
www.xn--twtter-4va.net. --> www.twítter.net.
xn--twtter-cwa.com. --> twîtter.com.
xn--twtter-q9a.net. --> twıtter.net.
xn--twttr-7raz.com. --> tw?tt?r.com.
xn--e1azaa2a9b5b.com. --> тшiттeя.com.

WALMART

xn--wlmart-ita.com. --> w?lmart.com.
xn--walmrt-lta.com. --> walm?rt.com.
xn--wlmart-bua.com. --> wälmart.com.
xn--wlmart-ita.com. --> w?lmart.com.
xn--wlmart-pta.com. --> wálmart.com.

WELLSFARGO

xn--wellsfarg-3mc.com. --> wellsfargơ.com.
xn--wellsfarg-e7a.com. --> wellsfargó.com.
xn--wellsfarg-tl7d.com. --> wellsfargọ.com.
xn--wellsfrgo-51a.com. --> wellsfárgo.com.

YAHOO

news.xn--yah-inaa.es. --> news.yahóó.es.
news.xn--yaho-7qa.biz. --> news.yahöo.biz.
news.xn--yaho-7qa.info. --> news.yahöo.info.
news.xn--yaho-8qa.biz. --> news.yahoö.biz.
news.xn--yaho-nqa.com. --> news.yah?o.com.
news.xn--yaho-sqa.es. --> news.yahóo.es.
news.xn--yaho-tqa.es. --> news.yahoó.es.
news.xn--yaho-tqa.org. --> news.yahoó.org.
news.xn--yah-unaa.biz. --> news.yahöö.biz.
news.xn--yah-unaa.info. --> news.yahöö.info.
test.xn--yaho-7qa.biz. --> test.yahöo.biz.
test.xn--yaho-7qa.de. --> test.yahöo.de.
test.xn--yaho-8qa.biz. --> test.yahoö.biz.
test.xn--yaho-8qa.info. --> test.yahoö.info.
test.xn--yaho-sqa.org. --> test.yahóo.org.
test.xn--yaho-tqa.com. --> test.yahoó.com.
test.xn--yaho-tqa.es. --> test.yahoó.es.
test.xn--yaho-tqa.org. --> test.yahoó.org.
test.xn--yaho-yqa.com. --> test.yahoô.com.
test.xn--yah-unaa.info. --> test.yahöö.info.
wp.xn--yah-inaa.org. --> wp.yahóó.org.
wp.xn--yaho-7qa.biz. --> wp.yahöo.biz.
wp.xn--yaho-7qa.de. --> wp.yahöo.de.
wp.xn--yaho-8qa.biz. --> wp.yahoö.biz.
wp.xn--yaho-8qa.de. --> wp.yahoö.de.
wp.xn--yaho-8qa.info. --> wp.yahoö.info.
wp.xn--yaho-nqa.com. --> wp.yah?o.com.
wp.xn--yaho-tqa.org. --> wp.yahoó.org.
wp.xn--yaho-yqa.com. --> wp.yahoô.com.
ww8.xn--yaho-yqa.com. --> ww8.yahoô.com.
www.xn--yah-inaa.es. --> www.yahóó.es.
www.xn--yah-inaa.org. --> www.yahóó.org.
www.xn--yaho-7qa.biz. --> www.yahöo.biz.
www.xn--yaho-7qa.de. --> www.yahöo.de.
www.xn--yaho-7qa.info. --> www.yahöo.info.
www.xn--yaho-8qa.biz. --> www.yahoö.biz.
www.xn--yaho-8qa.info. --> www.yahoö.info.
www.xn--yaho-nqa.com. --> www.yah?o.com.
www.xn--yaho-ogb.com. --> www.yahoơ.com.
www.xn--yaho-tqa.com. --> www.yahoó.com.
www.xn--yaho-tqa.es. --> www.yahoó.es.
www.xn--yaho-x0b.com. --> www.yahȯo.com.
www.xn--yah-unaa.biz. --> www.yahöö.biz.
www.xn--yah-unaa.info. --> www.yahöö.info.
www.xn--yaoo-674a.com. --> www.yaḣoo.com.
www.xn--yaoo-6xa.com. --> www.yaħoo.com.
xn--ahoo-4ra.com. --> ýahoo.com.
xn--yah-inaa.es. --> yahóó.es.
xn--yaho-7qa.biz. --> yahöo.biz.
xn--yaho-7qa.info. --> yahöo.info.
xn--yaho-8qa.info. --> yahoö.info.
xn--yaho-nqa.com. --> yah?o.com.
xn--yaho-ogb.com. --> yahoơ.com.
xn--yaho-sqa.org. --> yahóo.org.
xn--yaho-tqa.es. --> yahoó.es.
xn--yaho-tqa.org. --> yahoó.org.
xn--yaho-x0b.com. --> yahȯo.com.
xn--yaho-yqa.com. --> yahoô.com.
xn--yah-unaa.biz. --> yahöö.biz.
xn--yah-unaa.info. --> yahöö.info.
xn--yhoo-0na.com. --> y?hoo.com.
xn--yhoo-loa.info. --> yähoo.info.
xn--yho-qla5g.info. --> yähöo.info.
xn--yho-qla6g.info. --> yähoö.info.

WIKIPEDIA

xn--wiipedia-nmb.com. --> wiĸipedia.com.
xn--wikipdia-50a.cat. --> wikip?dia.cat.
xn--wikipdia-f1a.com. --> wikipédia.com.
xn--wikipdia-f1a.net. --> wikipédia.net.
xn--wikipdia-f1a.org. --> wikipédia.org.
xn--wikipeda-81a.com. --> wikiped?a.com.
xn--wikipeda-i2a.org. --> wikipedía.org.
xn--wikpedia-e2a.org. --> wikípedia.org.
xn--wkipeda-rfbf.com. --> wıkipedıa.com.
xn--wkipedia-c2a.org. --> wíkipedia.org.
xn--wkipedia-u2a.com. --> w?kipedia.com.
xn--wkpedia-7yab.org. --> wíkípedia.org.
xn--wkpedia-rfbb.com. --> wıkıpedia.com.
xn--wkpedia-zyab.com. --> w?k?pedia.com.

YANDEX

www.xn--yande-vx1b.com. --> www.yandeẋ.com.
www.xn--yanex-vb1b.com. --> www.yanḋex.com.
www.xn--yndex-0jc.com. --> www.yɑndex.com.
xn--yande-uze.ru.ru. --> yandex.ru.ru.
xn--yndex-3wa.com. --> yąndex.com.

YOUTUBE

xn--yotube-jnb.com. --> yoűtube.com.
xn--youtub-nva.com. --> youtub?.com.
xn--youtue-7g7b.com. --> youtuḇe.com.
ww11.xn--yotube-jya.com. --> ww11.yo?tube.com.
ww43.xn--yotube-4ya.com. --> ww43.yoütube.com.
www.xn--yotube-4ya.com. --> www.yoütube.com.
www.xn--youtue-7g7b.com. --> www.youtuḇe.com.
www.xn--youube-kmc.com. --> www.youțube.com.
xn--outube-9ya.com. --> ýoutube.com.
www.xn--outube-9s8b.com. --> www.ỳoutube.com.
www.xn--outube-9ya.de. --> www.ýoutube.de.
MISC: LUXURY BRANDS

www.xn--gucc-tpa.com. --> www.gucc?.com.
xn--gucc-tpa.com. --> gucc?.com.
xn--herms-7ra.com. --> herm?s.com.
www.xn--herms-7ra.fr. --> www.herm?s.fr.
www.xn--lousvuitton-qcb.com. --> www.louísvuitton.com.

MISC: SOCIAL PLATFORMS

xn--nstagram-11a.com. --> ?nstagram.com.
xn--nstagram-skb.com. --> ınstagram.com.
www.xn--nstagram-skb.com. --> www.ınstagram.com.
xn--istagram-7pb.com. --> iņstagram.com.
www.xn--imgu-t4a.com. --> www.imguŕ.com.
xn--imgr-sra.com. --> imgúr.com.
xn--whatspp-lwa.com. --> whatsápp.com.
xn--whtspp-cxcc.com. --> whɑtsɑpp.com.

https://fraudwatchinternational.com/expert-explanations/punycode-phishing-part-1/
https://www.grahamcluley.com/protect-browser-unicode-domain-phishing-attacks/
https://fraudwatchinternational.com/expert-explanations/what-is-punycode-phishing-part-2/
https://www.farsightsecurity.com/txt-record/2018/01/17/mschiffm-touched_by_an_idn/
https://wwhttps://www.bleepingcomputer.com/news/security/chrome-firefox-and-opera-vulnerable-to-undetectable-phishing-attack/w.bleepingcomputer.com/news/security/chrome-firefox-and-opera-vulnerable-to-undetectable-phishing-attack/