Phishing with internationalised domains

While on a train this morning, one of my close friends sent me this WhatsApp message:

Adidas Shoes WhatsApp Message

The person who sent it to me is not usually someone to send out scams or spam, but, to me at least, this message, did not look legit. It smelled strongly of a phishing scam.

However, it was a link to – so how was this going to phish me?
Of course they are not giving away 3000 free pairs of shoes! Are they?

Cautiously, I pressed on the link.
Obviously, I didn’t end up on
Clicking on the link, I’m redirected to – which contained a registration form, asking for all manner of personal details to claim my ‘free pair of shoes’

But, how did they get the link to redirect to this dodgy site from WhatsApp?
Was Adidas hacked? No.
Can you change the text of a hyperlink in WhatsApp? No. (I tried)

The thing is, it’s not a link to
It’s a link to adidạ

Two very different URLs indeed.
Look closely at the second ‘a’ in the domain. It’s not an a. It’s an ạ
More info on this character  – latin small letter a with dot below (U+1EA1)

Looking at the domain on my phone, it looks as though there’s a small mark on the screen under the ‘a’

This is known as an internationalised domain name, and this specific kind of ‘attack’ is a IDN Homograph (or homoglyph) Attack –

This technique is similar to some personalised, or “cherished” vehicle number plates in the UK.
A fine example of such a number plate is:

4lex number plate

The 4 is supposed to look like an ‘A’ in this particular example.
This is known as a Homoglyph – where 2 characters look alike.

So what’s the deal with xn--adids-m11b?

xn--adids-m11b is punycode – which when converted in to unicode, is adidạs

Punycode is a representation of Unicode with the limited ASCII character subset used for Internet host names

(thanks to Wikipedia)

You can try that out with this Punycode converter:

Just how dangerous is it?

For example, Chrome, and most other browsers will display the puny-code domain in the status bar when hovering over an href:

Safari, for example, can’t display the IDN at all:

safari idn

However, some chat-applications (WhatsApp included at the time of writing) display the link as it was written.


The first warning sign something is up – the redirection, or perceived redirection from adidạ to the punycode equivalent.

But for a lot of people, particularly those who are not tech-savvy, this small detail may go unnoticed. Particularly if the URL bar is hidden on some mobiles.

So the vector of attack (at least successful attack) relies on the user not noticing the punycode domain it is actually resolved to (or not caring – because they’re excited to receive the promised offer for example)
Or, more likely, them not understanding the correlation between what they click on, and where they end up.

Another technique IDN attacks deploy is a quick redirect to a similar but believable domain name.
In our adidạ example, the attacker could have registered something such as
.gifts is a generic top level domain, just like .com .org etc…

Now, setting the puny-code domain ( to redirect to – would create something that looks more realistic – at least to those a little less tech-savvy.

y tho

As I mentioned, in the Adidas example, they were phishing my personal data.
But these sites could quite easily display an official looking login page to that site (capturing your username / password)
Or a ‘buy now’ page – harvesting your credit card details.

The fact they have their victims trust that they are on the legitimate brand site means they are free to essentially do what they want.

I’ve been a customer of GoDaddy for several years.
Recently, I’ve required to use their support service.
Unusually, they don’t offer email support – just phone, or live-chat

On more than one occasion, live-chat has been unavailable, and making a call hasn’t been convenient.
Secondly, live-chat only works with a persistent connection. Working on a train, for example, means you’ll often be cut off from the live-chat service mid-support session.

This is one reason I’ve been moving most of our domains over to Namecheap.
Their support team is always on hand, both chat and email (I much prefer email where possible)
I realise this is personal preference, but having email support much more suits the way I work – not necessarily always connected!

Clearing Chrome Internal DNS cache

Visiting a url, but getting the (old dns) version of a page?
I was too.

Turns out that Chrome keeps an internal DNS cache.

You can view it by visiting the following ‘url’ (enter this in your address bar in Chrome)


Today I launched our commercial website –
Cohoda is a Camberley based web design agency and software consultancy.
I’ve been contracting through Cohoda LTD since I made the leap into being self employed in 2012, but have only just got round to creating our own website.

It’s a bit sparse at the moment but I’ll add details about other projects we’ve worked on soon.

I’m also knocking together a blog section. 
Thought about using Ghost like all the cool kids are doing these days, but I’ll stick to what I know for now and roll it out in WordPress. 
Can always migrate it later!

I’ll do some cross posting between the two blogs. 
I’ll keep Cohoda more focussed on the commercial side of things, rather than hands on development.

Today, I purchased tickets for the Farnborough Air Show 2014, at a cost of £48 each.

As if that wasn’t bad enough, there was a £0.50p charge to print my tickets at home!

The charge was the same for collecting from the Box Office.
For convenience, I printed the tickets at home, but feel this charge is totally unjustified.

Farnborough Air Show an SeeTIckets charging 50p to print tickets at home
Page 1 of 4