A homograph attack is a means for a threat actor to fool users that they’re accessing the correct website when they’re actually not. Hackers do that by taking advantage of the fact that many letters from different alphabets look alike.
Attackers replace Latin characters in internationalized domain names (IDNs) with letters from non-Latin-based languages, such as Cyrillic. An example would be using the Cyrillic character а (Cyrillic lowercase a) instead of a (English lowercase a). To the naked eye, they would look the same. But computers would know the difference and take the user to a malicious website (usually a look-alike of the site they wish to visit) instead of the legitimate webpage they want to access.
Read More about “Homograph Attack”
Homograph attacks became possible by the IDN Movement, which made a lot of headway in 1998. But it wasn’t until 2010 when the Internet as we know it began accepting non-Latin characters in domain names.
What Alphabets Are Typically Used in Homograph Attacks?
Many European and Asian languages are ripe for threat actor picking when launching homograph attacks so long as they have characters that look like Latin characters. Examples include Cyrillic, Greek, Armenian, Hebrew, and Thai.
Among the alphabets mentioned, however, Cyrillic could be the easiest to abuse given its multitude of characters that look a lot like Latin letters. The table below shows several examples.
|Cyrillic Character||Sample IDN|
|І (capital i)||googІe[.]com|
|у (small u)||macуs[.]com|
|е (small ie)||applе[.]com|
|о (small o)||micrоsоft[.]cоm|
|р (small er)||рayрal[.]com|
|с (small es)||сhanel[.]сom|
|х (small ha)||foхnews[.]com|
|ь (small letter soft sign)||ььc[.]com|
|ѕ (small dze)||adidaѕ[.]com|
|ј (small je)||јnј[.]com|
If you receive an email from someone you don’t know who claims to be from Johnson & Johnson offering you COVID-19 vaccines for free, for instance, if you click the embedded link www[.]јnј[.]com, you’ll end up on this page instead:
Why? It’s because the link uses Cyrillic instead of English letters. Threat actors can host a phishing page on the IDN, and users who don’t look twice at the browser bar could easily be fooled. The link’s English equivalent should take you to the Johnson & Johnson homepage.
Are Homograph and Typosquatting Attacks the Same?
While both types of attacks rely on deception, there’s a stark difference between them. Users can’t, for instance, mistakenly type IDNs created for homograph attacks into their browsers; typosquatting domains can.
IDNs created for homograph attacks can only take potential victims to fake login pages (often associated with phishing) and malware-laden websites if they are clicked. Users who misspell domains while typing them into their browsers are, however, likely to land on typosquatting domains, also often used for phishing.
What Is an Example of a Homograph Attack?
Back in 2017, security researcher Xudong Zheng released a proof-of-concept (PoC) homograph attack to show how dangerous falling for one could be. He registered the IDN https[:]//www[.]xn--80ak6aa92e[.]com/, which translates to https[:]//www[.]аррӏе[.]com/ (see the conversion below).
Zheng can use the IDN to trick users looking to access the Apple website to go to his page instead. If he were a threat actor, he could phish visitors’ credentials or, worse, take over their accounts when they log in.
How Can You Avoid Falling Prey to a Homograph Attack?
While it isn’t easy to distinguish many IDNs from the real deal, preventing homograph attacks is still possible if you follow these best practices:
- Update your browser regularly. The latest browsers, regardless of provider, now have built-in protection against homograph attacks.
- Confirm that the site you’re on has an extended validation certificate (EVC). As of February 2021, Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari have menus that show this detail.
- Avoid clicking links embedded in emails, chat messages, and other publicly available content, most especially on social media. If you don’t know their senders personally, avoid clicking at all costs.
- If you do click a link, make sure the page you’re taken to isn’t fake.
- Use an anti-malware solution. These programs now come with built-in protection features against homograph attacks.
Homograph attacks, as we said, are often effective phishing avenues. And clicking links from unknown sources is one of the most common ways you can become their victim.