Punycode: Undetectable, but not Unbeatable

Written by

With global ransomware cyber-attacks on the rise, sophisticated phishing campaigns are just one of the key factors accelerating the growth of online fraud.

As organizational awareness of potential attacks is on the rise, online criminals are having to find new and creative ways to dupe people into compromising sensitive financial and personal data. One phishing campaign that is currently taking hold: Punycode encoding.  

What is a ‘Punycode’? 
If you look up the official definition of a Punycode, it is “a special encoding used by the web browser to convert unicode characters to the limited character set of ASCII, supported by International Domain Names (IDNs) system”. 

What does that actually mean? Punycode encoding is disguised under the cloak of a legitimate web address, by cleverly abusing how a browser displays and interprets a normal website. So if you were to receive an email from a ‘colleague’ which has a link in it, the link – for example, Google.com – will look like Google.com but it won’t actually be. This means a Punycode attack is almost impossible to detect.
 
What’s positive for those most at risk is that, by default, many web browsers now use ‘Punycode’ encoding to represent Unicode characters in the URL to defend against homograph phishing attacks. But there’s only so much that businesses can do to protect individuals and organizations.

A cybersecurity skills gap 
Because the people most at risk to such phishing campaigns are the ones with the lowest technical skills, businesses which fail to upskill their workforce with cyber training should be the most concerned.

Underlining this, Fujitsu’s ‘Digital PACT’ survey found eight in 10 businesses point to digital skills as the biggest hindrance to their cybersecurity function.
  
This is not to say that companies should not invest in appropriate technical and security controls, potentially also working with cyber partners to achieve this. However, upskilling users and making them more cyber aware is, and will be, one of the most cost effective ways of reducing the probability and impact of human error.

A ‘people’ problem 
A reluctance in upskilling staff is often an attitudinal issue, with many organizations not necessarily considering themselves as ‘high value targets’ for attackers. This results in minimal protection and investment in cyber security defenses or staff training and awareness.

However, for many malicious actors, finding vulnerabilities is their bread and butter, and they will look to hold organizations to ransom through a ‘soft attack’ that compromises its data. Put simply – cybersecurity is more than a technology issue – it’s a ‘people’ issue.
 
Up until now, there has been a general lack of enforcement relating to IT and security related policies. Why? Mostly because there is a common assumption that users are actively following policies or have understood the ramifications for failure to follow the policies as prescribed.
 
Attacks are becoming increasingly harder to spot, so more needs to be done to improve user awareness and training as the first line of defense to protect companies from data leakage and attacks.
 
We know it works. An Accenture report found that 70% of those who had received cybersecurity training felt it improved their ability to recognize and react to threats. Whilst that might not eliminate attacks altogether, it definitely decreases the chances of easy attacks slipping through the net. 

With cyber-attacks increasing in severity, and with the General Data Protection Regulation on the horizon, if we are to ensure our industries remain competitive and secure, it’s critical that businesses enhance their first line of defense against cyber-attacks: their workforce. 

What’s hot on Infosecurity Magazine?