How to prevent the LAN clients from the possible Punycode Phishing Attack?

Support Model :
  • Tags :

The internet we use every day in our life is built in the United States as an internal usage at the very beginning, and it is designed to use ASCII only. So, the URL can be constructed by the characters listed in the ASCII only, which includes the 26 capital and lowercase letters in English and some of the common punctuations. But, some of the languages use the letter with phonetic symbols, or even the languages use the entirely different characters as Latin characters, such as Arabic, Chinese, Hebrew, Japanese and Thai. There is a new encoding system called Unicode which contents so many characters from the different languages and is still growing time by time. So, in order to present the URL with more languages, there is a new URL construct method called "Punycode" to use the limited ASCII character to present the Unicode.

However, this may cause some security issue. We can find the letters are extremely similar to another one in the different language, it is a possible that some bad guys constructed a website, and set the URL similar to a well-known website intentionally. The user may not recognize the different of the URL then access to the fake website, so your personal information like name, phone number, address, birthday or credit card number may leak to the bad guys.


Fortunately, there is a simple method that we can block all the websites which are using Punycode to construct their URLs to avoid such risk. The URL will start with "xn--" to declare it is using Punycode, so we can set up the URL Content Filter and DNS Filter to block the URLs which content "xn--".

Here are the settings should be configured:

1. Set a Keyword Object with content "xn--"


2. Set a URL Content Filter profile, to block the URL which contents the code we set in step 1


3. Set a DNS Filter profile, to filter the DNS request by the URL content filter we set in step 2


4. Set a Firewall Rule profile, to filter the connection by the rule we set in step 2 and 3


Related application notes:
How to block a HTTPS website by URL Filter and DNS Filter?
[Vigor3900] How to block a HTTPS website (e.g. Facebook) with URL Content Filter?

Most of the browsers have fixed this issue by display the URL by the original ASCII instead of Unicode characters on their latest version, so the user may not be confused by the similar URL.

Was this article helpful ?
35How to prevent the LAN clients from the possible Punycode Phishing Attack? has been viewed------ 35 ------times.