What is Punycode and Why is it a Threat?

When I am training a room full of computer users about how to detect a phishing email, one of the detection methods is using the “hover trick” on a link to reveal the actual web address and destination.  Or, if you have already clicked through, to look at the URL or web address as it is displayed in the address box of the web browser.  Most of the time the web address will not make sense for the expected destination.  And this is your clue that the web page is to be avoided.

What if there was a way to register a domain name that looked just like the real thing?  I am not talking about something that is “close” such as goggle.com, but looks like it is correctly spelled?  The way to carry this off is to use something called “punycode.”

Wikipedia defines punycode as “a way to represent Unicode within the limited character subset of ASCII used for Internet host names. For example, “München” (German name for the city of Munich) would be encoded as “Mnchen-3ya”. Using Punycode, host names containing Unicode characters are transcoded to a subset of ASCII consisting of letters, digits, and hyphen (the Letter-Digit-Hyphen (LDH) subset, as it is called).”

The way that criminal phishers would use punycode would be to register a domain name such as xn--mxail5aa.  This resolves into the Greek alphabet and displays a series of Greek letters that look like “apple.”


In many browsers, these Greek letters will be re-displayed using ASCII letters, and will show the letters “apple.”  ASCII is the Roman alphabet that is used by English.  So you end up with a result that looks like this in your browser

It would be very easy to be fooled by this exploit.  Is there anything you can do to prevent this from happening to you?  Since this is a browser exploit, it is important to have the most up-to-date version of your favorite web browsers installed.

  • Internet Explorer, Edge, Safari, Opera – These browsers appear to be unaffected by this exploit.
  • Chrome – make sure you are using version 58.3029.81 or higher.  you can check this by going to the Chrome menu stack, choose Help, then About Google Chrome.  Crome will display it’s current version and should update itself automatically.
  • Firefox – Force Firefox to display Punycode domain names by going to the about:config page and setting network.IDN_show_punycode to true.

Additional safeguards include:

  • Using a password manager to keep you from logging into a punycode look alike site.
  • Click on the padlock icon to reveal the HTTPS certificate information.  The domain name will be displayed using only ASCII characters, not punycode.


More information:



About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.