-
|
Dear felow researchers, Any advice? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 1 reply
-
|
Hi Stefano, The results from your homoglyph fuzzer include Internationalized Domain Names (IDNs) encoded in Punycode, identifiable by the While useful for international domains, Punycode is often exploited for phishing by creating visually similar domains, such as replacing The homoglyph fuzzer in You can also use tools like DomainTools to verify these domain names and gather additional information about them. Implementing proper monitoring and manual filtering can help you stay ahead of potential threats posed by these flagged domains. Kind regards, |
Beta Was this translation helpful? Give feedback.
-
|
Hi Ygal Thank you |
Beta Was this translation helpful? Give feedback.
-
|
Hi Stefano, Thanks for your reply and for explaining more. The issue you’re seeing doesn’t come directly from Watcher, but from the tool we use: dnstwist. The problem is that some of the domains generated by dnstwist mix characters from different Unicode scripts, like Latin and Cyrillic. In real life, these domains cannot be registered, even if they are in Punycode, because registrars block this kind of mixing. Here are two links from the dnstwist GitHub page that explain this:
So, even though dnstwist finds these domains as "possible candidates," they are not a real threat because they can’t be registered. Still, I recommend keeping an eye on the results, as some of them might still be valid and dangerous. Let me know if I can help with anything! Kind regards, |
Beta Was this translation helpful? Give feedback.
-
|
Thanks Ygal for your explanation.
Keep up the good work!
Stefano
Il Gio 16 Gen 2025, 17:37 Ygal Nezri ***@***.***> ha scritto:
… Hi Stefano,
Thanks for your reply and for explaining more.
The issue you’re seeing doesn’t come directly from Watcher, but from the
tool we use: dnstwist. The problem is that some of the domains generated by
dnstwist mix characters from different Unicode scripts, like Latin and
Cyrillic.
In real life, these domains cannot be registered, even if they are in
Punycode, because registrars block this kind of mixing. Here are two links
from the dnstwist GitHub page that explain this:
- DnsTwist Issue #213 <elceef/dnstwist#213>:
Domains with mixed characters (like Latin and Cyrillic) cannot be
registered.
- DnsTwist Issue #225 <elceef/dnstwist#225>:
Even if a domain can be encoded in Punycode, registrars will block it if it
mixes characters from different scripts.
So, even though dnstwist finds these domains as "possible candidates,"
they are not a real threat because they can’t be registered.
Still, I recommend keeping an eye on the results, as some of them might
still be valid and dangerous. Let me know if I can help with anything!
Kind regards,
Ygal
—
Reply to this email directly, view it on GitHub
<#162 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A4BHRIT4VYJEWLBU64UZRZ32K7N5LAVCNFSM6AAAAABUAMTOHCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTCOBVG4YDINA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***
com>
|
Beta Was this translation helpful? Give feedback.
Hi Stefano,
The results from your homoglyph fuzzer include Internationalized Domain Names (IDNs) encoded in Punycode, identifiable by the
xn--prefix. This encoding converts non-ASCII characters (e.g.,á,ñ, or Cyrillic letters) into a DNS-compatible format. For example:While useful for international domains, Punycode is often exploited for phishing by creating visually similar domains, such as replacing
a(Latin) withа(Cyrillic).The homoglyph fuzzer in
dnstwistcannot excludexn--domains, so you’ll need to manually filter these from your results. Attackers often use Punycode to mimic legitimate domains in browsers, making domains like…