Fake URL with Non-Ascii domain names.

Two year ago there was a viral whats-app message with text “Spin the wheel to win Exciting gifts spin.amaᴢon.com ” The user checks the link address thinks its authenticated message and if i click here it will land me to an authenticated page. Here i am adding one more rule, whatsapp does not support hyperlink if you write a web url it will automatically translate to the link same as the text. So only way is some kind of software hack. As the meassage was spread through whatsapp i tried to debug through whatsapp web and DNS requests going out from my PC.

When I saw it on source code it was something different although the script used to send the message are writing exact message with correct link spin.amaᴢon.com (original link) The source on whatsapp web showing a different name spin.xn--amaon–x59a.com .
cyrillic domainSo here confusion is whatsapp does not accept user created hyperlink and these messages contain which suspected to be a manipulated deceptive link.

Now after two years again i received similar messages.5b62535f-7756-41de-a60a-36ed3d42184c

Hey ! Big Bazaar is giving FREE INR5000 shopping voucher to celebrate it’s 17th anniversary, Go here to get yours : http://www.bıgbazaar.com/anniversary Enjoy and thanks me later!.

this time the domain name was suspicious, the letter i is actually missing a dot above it. What we know is only ASCII characters are allowed in domain names so we cant expect a non ascii character.

But yes it is actually non-ascii. 3 year ago some name servers started distributing domain names with non-ascii characters. These non-ascii(mostly cyrillic) domain names when entered on a browser it automatically translated to ascii names like the one above.

Cyrillic/NONASCII —————— -|————- ——– ASCII Translation
——————- ——————– ———|———- ———————– ————————
spin.amaᴢon.com ——————–|———— spin.xn--amaon–x59a.com
bıgbazaar.com ————————-|——— xn--bgbazaar-tkbg.com
indiaसरकार.com ———————–|———- xn--india-10k6nb3e2c.com

So now its better to verify web links properly and still there is possibility as some Cyrillic characters looks exactly same. if site is added with a valid https/SSL certificate with the same name as its displaying then we can say the link is authenticated. Ignore SSL certficates issued by letsencypt or similar SSL providers.

Leave a Reply