Brand Abuse, Digital Fraud

How One Letter Renders Phishing Emails Undetectable

By Andre Luiz R. Silva on

If you have been paying close attention, you’ll know that we’ve recently been discussing spear phishing, a kind of fraud that uses email sent directly to a specific person or group, and also about scams that show look-alike URLs to deceive the visitor. To make matters worse, however, we see evidence now that these two tactics are becoming intertwined. A study by Offensity showed that hidden characters in some senders’ domains are not detected by the foremost webmail services!


More phishing emails, with greater sophistication!

The entire Offensity study was carried out using a domain registration that used Unicode characters, which are characters that are not in the alphabet of Latin-based languages (such as ours). 

In cybersquatting scams (the ill-intentioned registration of similar domains), Unicode characters are generally taken from the Cyrillic alphabet, which is used for languages such as Russian. The heck of it is that when shown in the correct form (without viewing errors), those letters can be identical to letters in the Latin alphabet.

To carry out this email test, Offensity personnel registered a domain with the name а At first glance, there’s nothing strange about it, right? Well, the first “a” in this domain actually comes from the Cyrillic alphabet. When read “incorrectly,” adapted to our alphabet, it appears like this:

Totally different, right? This system of character conversions that cannot be read in the Roman system/alphabet has been dubbed punycode. However, the big issue here is that very few places can make that conversion—in others, the “a” will appear normally as a character that is nearly identical to that of the Latin alphabet. 

So, you can imagine the countless possibilities in so many other domains that could confuse a person (even the most experienced in digital security!) regarding the authenticity of content. The most obvious route for a cybercriminal is, therefore, to create phishing schemes for capturing sensitive data, such as logins, passwords and credit card numbers.


The problem “punycode” represents for the primary webmail services

To test which emails did not display the punycode characters to the user (making him or her vulnerable to phishing scams), Offensity tested email sends and the message reply options on seven different products: Outlook (desktop and mobile), Office 365 Web, Gmail (web and mobile), Apple Mail (for iPhone) and Thunderbird (Mozilla).

Only Outlook’s mobile version and Apple Mail for iPhone showed the punycode’s genuine appearance when receiving and replying to the recipient that was using the created domain. Gmail’s web version was the only one that went half-way, unmasking the problem only when “reply” was clicked.

What, then, does all this tell us? These test results, if we do the math, show that the probability that a given user of the leading webmail services can successfully discern that the domain is falsified is only 35.7%.


What’s the best strategy to avoid Unicode deception?

Well, to avoid getting snagged by Unicode domains with fraudulent intentions, you need a sharper eye. Now that you know these dangers exist—and since knowledge is power—perhaps it would be a good idea to see how these characters are obtained. As easy as it is for a fraudster to get a Cyrillic character via a Google search, the reverse direction is also easy.

On a site such as Punycoder you can insert characters and phrases (or an entire text, if you’d prefer) that were written in Unicode so that they appear with the notorious “xn--” in front. But this should be the responsibility of the webmail services, as it would clearly be difficult for a user to insert all email domains received into an external “verifier,” right?

The final solution: Brand and domain protection

That’s right! A company’s good, old-fashioned concern for what’s being said or done regarding their brand must also embrace new technologies (and the cybercriminals’ updates). Considering the Unicode problems, domain monitoring is a good and necessary strategy for companies wishing to protect their reputation online.

Here’s how it works: You find a solution and/or a monitoring product that includes strategic planning for Unicode functions, and then just wait for the alerts to come the moment a domain similar to that of your brand, with any change of characters, is registered. A suggestion? Find out about our solution for Similar domain names and see what we can do for you.



Eduardo Schultze, Coordenador do CSIRT da Axur, formado em Segurança da Informação pela UNISINOS – Universidade do Vale do Rio dos Sinos. Trabalha desde 2010 com fraudes envolvendo o mercado brasileiro, principalmente Phishing e Malware


Andre Luiz R. Silva

A journalist working as Content Creator at Axur, in charge of Deep Space and press activities. I have also analyzed lots of data and frauds here as a Brand Protection team member. Summing up: working with technology, information and knowledge together is one of my biggest passions!