I got an interesting spam SMS today to drove me to do a little research. The link included a 🍑 emoji. I have heard about emoji’s being used in a link, but have never really looked into it or seen it in practice before. I often take phishing URLs and visit the sites in a safe environment to see what they are. Check out browserling.com for a quick online Windows or Android VM. I couldn’t immediately test the URL because I had to figure out how to type it in to the address bar. I found a few articles on Wikipedia that led me to RFC 3492 Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA).

Punycode allow for a unique and reversible encoding of non-ASCII characters in ASCII that complies with RFC 952. Punycode is also used for other Unicode language characters besides emoji’s. The bootstring takes any string of mixed type characters called the extended string and represents it as sequence of “basic code points” called the basic string. Basic code points in the string are initially segregated from non-basic code points and by copying them all at once into a string that will be at the beginning of future basic string. The string “Hi-😊-down-for-🚴-later?” is transformed to “Hi–down-for–later?-“ followed by the basic code point representations of the two emoji’s.

In my suspicious URL the section in question was “co🍑162” which translates to “xn--co162-8p93d” in Punycode. Other strings in the URL delimited by dot characters are not included in the encoding. See the example from below from punycoder.com.

Firefox also showed the ASCII conversion in the address bar when pasted in.

It is an interesting method that helps a malicious actor or spammer make their link look more enticing and a little less sketchy. I found a few resources during this process. emojipedia.org allows you to search and copy paste an emoji. punycoder.com allows you to translate between Punycode and text. Here is a list of all the Unicode emoji’s.