Homoglyph domain #162

AlephArgo · 2024-12-21T08:03:03Z

AlephArgo
Dec 21, 2024

Dear felow researchers,
I got some results from the homoglyph fuzzer about some domains I'm monitoring, but those domains seems not to be registered anywhere.
Look at the following results:
` Twisted DNS Corporate Keyword Corporate DNS Fuzzer Created At
xn--zarainbank-ttb7690ga.ch - zarattinibank.ch homoglyph 19/12/2024, 20:35:23

xn--zarattnbank-hcbb.ch	-	zarattinibank.ch	homoglyph	19/12/2024, 20:35:22	

xn--zarattnban-3v3eb4746b.ch	-	zarattinibank.ch	homoglyph	19/12/2024, 20:35:21	

xn--zaattinibnk-4kb8878g.ch	-	zarattinibank.ch	homoglyph	19/12/2024, 20:35:20	

xn--zttinibnk-00d5880fbag.ch	-	zarattinibank.ch	homoglyph	19/12/2024, 20:35:19`

Any advice?
Thank you
Stefano

Answered by ygalnezri

Dec 23, 2024

Hi Stefano,

The results from your homoglyph fuzzer include Internationalized Domain Names (IDNs) encoded in Punycode, identifiable by the xn-- prefix. This encoding converts non-ASCII characters (e.g., á, ñ, or Cyrillic letters) into a DNS-compatible format. For example:

zarátínibank.ch becomes xn--zaratinibank-xyz.ch.

While useful for international domains, Punycode is often exploited for phishing by creating visually similar domains, such as replacing a (Latin) with а (Cyrillic).

The homoglyph fuzzer in dnstwist cannot exclude xn-- domains, so you’ll need to manually filter these from your results. Attackers often use Punycode to mimic legitimate domains in browsers, making domains like …

View full answer

ygalnezri · 2024-12-23T09:32:30Z

ygalnezri
Dec 23, 2024
Maintainer

Hi Stefano,

The results from your homoglyph fuzzer include Internationalized Domain Names (IDNs) encoded in Punycode, identifiable by the xn-- prefix. This encoding converts non-ASCII characters (e.g., á, ñ, or Cyrillic letters) into a DNS-compatible format. For example:

zarátínibank.ch becomes xn--zaratinibank-xyz.ch.

While useful for international domains, Punycode is often exploited for phishing by creating visually similar domains, such as replacing a (Latin) with а (Cyrillic).

The homoglyph fuzzer in dnstwist cannot exclude xn-- domains, so you’ll need to manually filter these from your results. Attackers often use Punycode to mimic legitimate domains in browsers, making domains like zаrattinibank.ch appear authentic unless inspected closely.

You can also use tools like DomainTools to verify these domain names and gather additional information about them.

Implementing proper monitoring and manual filtering can help you stay ahead of potential threats posed by these flagged domains.

Kind regards,
Ygal

0 replies

AlephArgo · 2024-12-31T08:24:11Z

AlephArgo
Dec 31, 2024
Author

Hi Ygal
thanks for answering.
The thing is, after those domains have been found, I run a whois for all of them, and apparently they are not registered,
So, I'm asking: how those domains have been found?
I understood Watcher finds existing domains, after running the dnstwist or searching through the CTL.
Am I wrong?

Thank you
Stefano

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Homoglyph domain #162

{{title}}

Replies: 2 comments

{{title}}

{{title}}

Select a reply

Homoglyph domain #162

AlephArgo Dec 21, 2024

Replies: 2 comments

ygalnezri Dec 23, 2024 Maintainer

AlephArgo Dec 31, 2024 Author

AlephArgo
Dec 21, 2024

ygalnezri
Dec 23, 2024
Maintainer

AlephArgo
Dec 31, 2024
Author