So we’re seeing homograph attacks again. Examples show how ‘apple.com’ and ‘epic.com’ can be mimicked by the use of Internationalized Domain Names (IDN) consisting entirely of unicode characters, i.e. xn--80ak6aa92e.com and xn--e1awd7f.com respectively.
As I found myself looking for ways to discover domain names that could be used for phishing attempts, I created a Python script called Punicoder to do the hard work for me. See the screenshot below for example output, and try it out for yourself here.
Punicoder output
Pro tip: use the following series of commands to find out if any of these domains resolve:
pieter@ubuntu:~$ python punicoder.py google.com | cut -d' ' -f2 | nslookup | grep -Pzo '(?s)Name:s(.*?)Address: (.*?).Server' Name: xn--oogle-qmc.com Address: 185.53.178.7 Server Name: xn--gogl-0nd52e.com Address: 216.239.32.27 Server Name: xn--gogl-1nd42e.com Address: 216.239.32.27 Server Name: xn--oole-z7bc.com Address: 50.63.202.59 Server Name: xn--goole-tmc.com Address: 75.119.220.238 Server Name: xn--ggle-55da.com Address: 216.239.32.27 Server
