Just to add that I got tricked by a punycode url this morning, and was none the wiser until things started getting suspicious. So I was sent an imgur url. Looked perfectly fine. Opened it up, and looks like the normal Imgur site, however, the thumbnail was quite small. I clicked on it to enlarge, but it downloaded a zip. That was when I was like WTF. So looked into the source and it was pulling from a weird domain, which obviously was using punycode (started with xn--). I immediately deleted the zip and ran virus scanners, but hopefully nothing untoward happened unless you opened the zip.
And to note, the latest Chrome (using 58.0.3029.81) DOES NOT pick up this issue. Latest Firefox did not pick up anything suspicious either. I've since turned on "show punycode" in Firefox, which helps. However, Chrome currently has no defences against this. I've installed an add-on that gives a small pop-up, but it's not great, and seems to have false-positives.
I believe only Chrome v59 will properly detect this when it comes out. So just a big warning, that you aren't safe with the latest browser versions without making some changes or installing extensions for additional insight.
