Punycode Attack

Punycode is the encoding system that allows domain names to contain non-ASCII characters from international alphabets — Arabic, Cyrillic, Chinese, and others. Browsers display these internationalised domain names (IDNs) in their readable Unicode form rather than the raw Punycode, which creates an attack opportunity: a malicious domain can register a name that appears identical to a trusted domain in the browser's address bar but is actually composed of different Unicode characters.

For example, the Cyrillic letter 'а' (U+0430) looks identical to the Latin letter 'a' (U+0061) in most fonts, but they represent entirely different characters. A domain using the Cyrillic 'а' renders visually as the expected name while pointing to a completely different server. This technique is also called a homograph attack at the domain level.

Modern browsers have partially mitigated Punycode attacks by displaying the raw Punycode encoding when a domain mixes scripts from different language families — but protections vary by browser and registrar. Users should be suspicious of security certificates and look for visual inconsistencies in URLs, especially when clicking links in emails.