What is Punycode and Why is it a Threat?

When I am training a room full of computer users about how to detect a phishing email, one of the detection methods is using the “hover trick” on a link to reveal the actual web address and destination.  Or, if you have already clicked through, to look at the URL or web address as it is displayed in the address box of the web browser.  Most of the time the web address will not make sense for the expected destination.  And this is your clue that the web page is to be avoided.

What if there was a way to register a domain name that looked just like the real thing?  I am not talking about something that is “close” such as goggle.com, but looks like it is correctly spelled?  The way to carry this off is to use something called “punycode.”

Wikipedia defines punycode as “a way to represent Unicode within the limited character subset of ASCII used for Internet host names. For example, “München” (German name for the city of Munich) would be encoded as “Mnchen-3ya”. Using Punycode, host names containing Unicode characters are transcoded to a subset of ASCII consisting of letters, digits, and hyphen (the Letter-Digit-Hyphen (LDH) subset, as it is called).”

The way that criminal phishers would use punycode would be to register a domain name such as xn--mxail5aa.  This resolves into the Greek alphabet and displays a series of Greek letters that look like “apple.”


In many browsers, these Greek letters will be re-displayed using ASCII letters, and will show the letters “apple.”  ASCII is the Roman alphabet that is used by English.  So you end up with a result that looks like this in your browser

It would be very easy to be fooled by this exploit.  Is there anything you can do to prevent this from happening to you?  Since this is a browser exploit, it is important to have the most up-to-date version of your favorite web browsers installed.

  • Internet Explorer, Edge, Safari, Opera – These browsers appear to be unaffected by this exploit.
  • Chrome – make sure you are using version 58.3029.81 or higher.  you can check this by going to the Chrome menu stack, choose Help, then About Google Chrome.  Crome will display it’s current version and should update itself automatically.
  • Firefox – Force Firefox to display Punycode domain names by going to the about:config page and setting network.IDN_show_punycode to true.

Additional safeguards include:

  • Using a password manager to keep you from logging into a punycode look alike site.
  • Click on the padlock icon to reveal the HTTPS certificate information.  The domain name will be displayed using only ASCII characters, not punycode.


More information:



About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com


Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.