Late last year, Trend Micro senior threat researcher Ben April discussed the security implications of using internationalized domain names (IDNs). IDNs are domain names that use non-English/non-ASCII characters. As Ben discussed, there are several ways by which cybercriminals can abuse IDNs and use these in their malicious attacks. Today, we saw such abuse, as spammers used IDNs as spam URLs.
We recently got hold of a spam sample that contained a Russian IDN URL:
The availability of IDNs gives spammers more room to create spam domains. Since domain names are no longer limited to just English characters, non-English domains can also be registered. As such, more domains can be used and housed for spamming activities. Other spammers can also use the punycode version of URLs, which is the encoding syntax for the IDN in ASCII format. This will require more effort for signature blocking or blacklisting.
More spammed messages such as the one above indicates that IDN URL usage for spamming may increase in number as time goes by.
The Trend Micro™ Smart Protection Network™, through the Web reputation technology protects users from threats that may be delivered using IDNs.