A homograph attack is a type of phishing attack based on using similar characters to pretend to be another site. While most of them are easily recognizable by end-users with proper training (for example, g00gle.com), homograph attacks based on international domain names (IDN) can be unrecognizable from the domains they are spoofing.
A homographic attack, also called a homograph attack, is a phishing attack where attackers create URLs or domain names that visually resemble legitimate ones by using characters from different character sets that look similar to the characters in the original domain name.
For example, attackers might replace certain letters in a legitimate domain name with visually similar characters from other alphabets or character sets, such as using Cyrillic, Greek, or other non-Latin characters that resemble Latin characters. This can deceive users into thinking they are visiting a legitimate website when, in fact, they are being directed to a malicious site controlled by the attacker.
Homographic attacks can be particularly effective because they exploit human perception and the way users visually process domain names, making it difficult for users to distinguish between legitimate and malicious URLs. This type of attack can be used for various malicious purposes, including phishing for sensitive information such as usernames, passwords, or financial details, or spreading malware.
See also: Why do cyberattacks happen?
Homograph attacks can take several forms, each with its own method of exploiting visually similar characters to deceive users. Here are some common types:
In a URL homograph attack, attackers register domain names that visually resemble legitimate domain names by replacing certain characters with visually similar characters from different character sets. For example, they might replace the letter "o" in a domain name with the number "0" or use Cyrillic characters that resemble Latin characters. Users may not notice the difference and could inadvertently visit the malicious website.
Similar to URL homograph attacks, attackers can create email addresses that mimic legitimate addresses by using visually similar characters. This tactic is often used in phishing attacks where the attacker sends emails from addresses that appear to be from trusted sources, such as banks or government agencies, in an attempt to trick users into providing sensitive information.
See also: HIPAA Compliant Email: The Definitive Guide
Internationalized Domain Names (IDNs) allow domain names to be registered using non-Latin characters, such as Cyrillic, Greek, or Chinese characters. In an IDN homograph attack, attackers register domain names that contain characters from different scripts that look similar to Latin characters. This can be particularly deceptive because the domain name appears legitimate when displayed in the user's native language.
Attackers can use homograph characters in file names to disguise malicious files.
For example, they might create a file with a name that looks like a harmless document or image file but actually contains malware. This tactic can be used to trick users into downloading and executing malicious files on their systems.
On online platforms that allow users to choose their usernames, attackers can create accounts with usernames that resemble legitimate users' names by using homograph characters. This can be used for impersonation or to trick other users into interacting with the attacker's account.
According to Malwarebytes, attackers are now using Punycode in Google Ads to further authenticate the look of their URLs. “Previously, attackers would use subdomains and extensions similar to the site they were mimicking to trick users into clicking, but these are pretty easy to spot. However, by translating a URL into Punycode, bad actors can create an address that looks completely authentic,” they reported.
According to Malwarebytes, internet users click on what they think is a Google Ad; however, the URL leads them to a “malicious website.” Although the address bar will indicate that the web address is incorrect, many users do not look at the address bar, and may even miss it.
Defending against homographic attacks requires a combination of user education, technological solutions, and best practices. Here are several strategies that can help mitigate the risk of falling victim to homographic attacks:
Signs of a homographic attack include unusual characters or symbols in email addresses or URLs, slight misspellings or alterations to familiar domain names, and unexpected requests for sensitive information. Additionally, users should be wary of emails or websites that create a sense of urgency or pressure to take immediate action.
To protect yourself from homographic attacks, be cautious when clicking on links in emails or messages, especially if they come from unknown or suspicious sources. Manually type URLs into your browser or use bookmarks instead of clicking on links. Verify the legitimacy of websites by comparing the URL with the official website's URL or performing a web search. Enable security features in your web browser and email client to help detect and warn you about suspicious URLs or email addresses.
While it may not be possible to prevent homographic attacks entirely, organizations and individuals can take proactive measures to reduce their risk. This includes implementing security awareness training, deploying email filtering and web security solutions, regularly updating software and systems, and fostering a culture of cybersecurity awareness.