This variant of a phishing attack uses Unicode to register domains that look identical to real domains. These fake domains can be used in phishing attacks to fool users into signing into a fake website, thereby handing over their login credentials to an attacker.
The xn-- prefix is what is known as an
ASCII compatible encoding prefix. It lets the browser know that the domain uses
punycode encoding to represent Unicode characters. In non-techie speak, this means that if you have a domain name with Chinese or other international characters, you can register a domain name with normal A-Z characters that can allow a browser to represent that domain as international characters in the location bar.
Chrome 57.0.2987 and Firefox 52.0.2 vulnerabilities not solved yet.
The workaround to block the domains that contain Unicode characters while Chrome and Firefox solve this vulnerability is to block the request that arrives at the proxy and contains "xn --" on the GET request.
To block this GET request you can create a new rule under a Web Access Layer where destination is configured as
Destination Host/Port and using Host containing
CPL code to apply the previous rule:
define condition UnicodeBlocking
This is a temporary workaround until this vulnerability is fixed in Chrome and Firefox.
This workaround blocks trusted and untrusted sites.