Homoglyph domain

[AlephArgo]

Dear felow researchers,
I got some results from the homoglyph fuzzer about some domains I'm monitoring, but those domains seems not to be registered anywhere.
Look at the following results:
` Twisted DNS Corporate Keyword Corporate DNS Fuzzer Created At
xn--zarainbank-ttb7690ga.ch - zarattinibank.ch homoglyph 19/12/2024, 20:35:23

xn--zarattnbank-hcbb.ch	-	zarattinibank.ch	homoglyph	19/12/2024, 20:35:22	

xn--zarattnban-3v3eb4746b.ch	-	zarattinibank.ch	homoglyph	19/12/2024, 20:35:21	

xn--zaattinibnk-4kb8878g.ch	-	zarattinibank.ch	homoglyph	19/12/2024, 20:35:20	

xn--zttinibnk-00d5880fbag.ch	-	zarattinibank.ch	homoglyph	19/12/2024, 20:35:19`

Any advice?
Thank you
Stefano

[ygalnezri]

Hi Stefano,

The results from your homoglyph fuzzer include Internationalized Domain Names (IDNs) encoded in Punycode, identifiable by the xn-- prefix. This encoding converts non-ASCII characters (e.g., á, ñ, or Cyrillic letters) into a DNS-compatible format. For example:

zarátínibank.ch becomes xn--zaratinibank-xyz.ch.

While useful for international domains, Punycode is often exploited for phishing by creating visually similar domains, such as replacing a (Latin) with а (Cyrillic).

The homoglyph fuzzer in dnstwist cannot exclude xn-- domains, so you’ll need to manually filter these from your results. Attackers often use Punycode to mimic legitimate domains in browsers, making domains like zаrattinibank.ch appear authentic unless inspected closely.

You can also use tools like DomainTools to verify these domain names and gather additional information about them.

Implementing proper monitoring and manual filtering can help you stay ahead of potential threats posed by these flagged domains.

Kind regards,
Ygal

[AlephArgo]

Hi Ygal
thanks for answering.
The thing is, after those domains have been found, I run a whois for all of them, and apparently they are not registered,
So, I'm asking: how those domains have been found?
I understood Watcher finds existing domains, after running the dnstwist or searching through the CTL.
Am I wrong?

Thank you
Stefano

[ygalnezri]

Hi Stefano,

Thanks for your reply and for explaining more.

The issue you’re seeing doesn’t come directly from Watcher, but from the tool we use: dnstwist. The problem is that some of the domains generated by dnstwist mix characters from different Unicode scripts, like Latin and Cyrillic.

In real life, these domains cannot be registered, even if they are in Punycode, because registrars block this kind of mixing. Here are two links from the dnstwist GitHub page that explain this:

• DnsTwist Issue #213: Domains with mixed characters (like Latin and Cyrillic) cannot be registered.
• DnsTwist Issue #225: Even if a domain can be encoded in Punycode, registrars will block it if it mixes characters from different scripts.

So, even though dnstwist finds these domains as "possible candidates," they are not a real threat because they can’t be registered.

Still, I recommend keeping an eye on the results, as some of them might still be valid and dangerous. Let me know if I can help with anything!

Kind regards,
Ygal

[AlephArgo]

Thanks Ygal for your explanation. Keep up the good work! Stefano Il Gio 16 Gen 2025, 17:37 Ygal Nezri ***@***.***> ha scritto:

…

Hi Stefano, Thanks for your reply and for explaining more. The issue you’re seeing doesn’t come directly from Watcher, but from the tool we use: dnstwist. The problem is that some of the domains generated by dnstwist mix characters from different Unicode scripts, like Latin and Cyrillic. In real life, these domains cannot be registered, even if they are in Punycode, because registrars block this kind of mixing. Here are two links from the dnstwist GitHub page that explain this: - DnsTwist Issue #213 <elceef/dnstwist#213>: Domains with mixed characters (like Latin and Cyrillic) cannot be registered. - DnsTwist Issue #225 <elceef/dnstwist#225>: Even if a domain can be encoded in Punycode, registrars will block it if it mixes characters from different scripts. So, even though dnstwist finds these domains as "possible candidates," they are not a real threat because they can’t be registered. Still, I recommend keeping an eye on the results, as some of them might still be valid and dangerous. Let me know if I can help with anything! Kind regards, Ygal — Reply to this email directly, view it on GitHub <#162 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A4BHRIT4VYJEWLBU64UZRZ32K7N5LAVCNFSM6AAAAABUAMTOHCVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTCOBVG4YDINA> . You are receiving this because you authored the thread.Message ID: ***@***.*** com>