Homograph attack: What is it and how to avoid it

A homograph attack is a type of phishing attack based on using similar characters to pretend to be another site. While most of them are easily recognizable by end-users with proper training (for example, g00gle.com), homograph attacks based on international domain names (IDN) can be unrecognizable from the domains they are spoofing. 

Understanding homograph attacks

A homographic attack, also called a homograph attack, is a phishing attack where attackers create URLs or domain names that visually resemble legitimate ones by using characters from different character sets that look similar to the characters in the original domain name.

For example, attackers might replace certain letters in a legitimate domain name with visually similar characters from other alphabets or character sets, such as using Cyrillic, Greek, or other non-Latin characters that resemble Latin characters. This can deceive users into thinking they are visiting a legitimate website when, in fact, they are being directed to a malicious site controlled by the attacker.

Homographic attacks can be particularly effective because they exploit human perception and the way users visually process domain names, making it difficult for users to distinguish between legitimate and malicious URLs. This type of attack can be used for various malicious purposes, including phishing for sensitive information such as usernames, passwords, or financial details, or spreading malware.

See also: Why do cyberattacks happen?

Types of homograph attacks

Homograph attacks can take several forms, each with its own method of exploiting visually similar characters to deceive users. Here are some common types:

URL homograph attack

In a URL homograph attack, attackers register domain names that visually resemble legitimate domain names by replacing certain characters with visually similar characters from different character sets. For example, they might replace the letter "o" in a domain name with the number "0" or use Cyrillic characters that resemble Latin characters. Users may not notice the difference and could inadvertently visit the malicious website.

Email address homograph attack

Similar to URL homograph attacks, attackers can create email addresses that mimic legitimate addresses by using visually similar characters. This tactic is often used in phishing attacks where the attacker sends emails from addresses that appear to be from trusted sources, such as banks or government agencies, in an attempt to trick users into providing sensitive information.

See also: HIPAA Compliant Email: The Definitive Guide

IDN homograph attack

Internationalized Domain Names (IDNs) allow domain names to be registered using non-Latin characters, such as Cyrillic, Greek, or Chinese characters. In an IDN homograph attack, attackers register domain names that contain characters from different scripts that look similar to Latin characters. This can be particularly deceptive because the domain name appears legitimate when displayed in the user's native language.

File name homograph attack

Attackers can use homograph characters in file names to disguise malicious files. 

For example, they might create a file with a name that looks like a harmless document or image file but actually contains malware. This tactic can be used to trick users into downloading and executing malicious files on their systems.

Username homograph attack

On online platforms that allow users to choose their usernames, attackers can create accounts with usernames that resemble legitimate users' names by using homograph characters. This can be used for impersonation or to trick other users into interacting with the attacker's account.

In the news

According to Malwarebytes, attackers are now using Punycode in Google Ads to further authenticate the look of their URLs. “Previously, attackers would use subdomains and extensions similar to the site they were mimicking to trick users into clicking, but these are pretty easy to spot. However, by translating a URL into Punycode, bad actors can create an address that looks completely authentic,” they reported. 

According to Malwarebytes, internet users click on what they think is a Google Ad; however, the URL leads them to a “malicious website.” Although the address bar will indicate that the web address is incorrect, many users do not look at the address bar, and may even miss it. 

Defending against homograph attacks

Defending against homographic attacks requires a combination of user education, technological solutions, and best practices. Here are several strategies that can help mitigate the risk of falling victim to homographic attacks:

• Education and awareness: Educate users about homographic attacks and how they work. Teach them to scrutinize URLs, email addresses, and other text for unusual characters or inconsistencies that may indicate a potential homograph attack.
• Use secure browsers: Utilize web browsers with built-in protections against homographic attacks. Modern browsers often include features that highlight or warn users about suspicious or lookalike URLs.
• Enable Punycode display: Configure web browsers and email clients to display IDNs in Punycode format, which represents non-Latin characters in a standardized way. This can help users identify potentially malicious domain names.
• Email filtering: Implement email filtering solutions that can detect and block phishing emails, including those containing homographic domain names or email addresses. Train users to be cautious when clicking on links or downloading attachments from unknown or suspicious sources.
• Two-factor authentication (2FA): Enable 2FA wherever possible, especially for sensitive accounts such as email, online banking, and social media. Even if attackers manage to obtain login credentials through a homographic attack, they will still need a second factor to access the account.
• Security software: Install and regularly update antivirus and antimalware software on all devices. These programs can help detect and remove malicious files, including those obtained through homographic attacks.
• Domain monitoring: Monitor domain registrations for any suspicious activity, such as newly registered domains that closely resemble legitimate ones. 
• Vendor and third-party risk management: Evaluate the security practices of vendors and third-party service providers, especially those with whom you share sensitive information. Ensure they have measures in place to protect against homographic attacks and other security threats.

FAQ’s

What are some signs that an email or website may be part of a homographic attack?

Signs of a homographic attack include unusual characters or symbols in email addresses or URLs, slight misspellings or alterations to familiar domain names, and unexpected requests for sensitive information. Additionally, users should be wary of emails or websites that create a sense of urgency or pressure to take immediate action.

How can I protect myself from homographic attacks?

To protect yourself from homographic attacks, be cautious when clicking on links in emails or messages, especially if they come from unknown or suspicious sources. Manually type URLs into your browser or use bookmarks instead of clicking on links. Verify the legitimacy of websites by comparing the URL with the official website's URL or performing a web search. Enable security features in your web browser and email client to help detect and warn you about suspicious URLs or email addresses.

Can homographic attacks be prevented?

While it may not be possible to prevent homographic attacks entirely, organizations and individuals can take proactive measures to reduce their risk. This includes implementing security awareness training, deploying email filtering and web security solutions, regularly updating software and systems, and fostering a culture of cybersecurity awareness.