When typing letters on a computer, you recognize characters based on the way they display, but computers recognize characters based on ones and zeros (binary) Every character you see on the screen has a matching Unicode reference, and some of …
When typing letters on a computer, you recognize characters based on the way they display, but computers recognize characters based on ones and zeros (binary). Every character you see on the screen has a matching Unicode reference, and some of these characters look the same in different languages, even though they have different Unicode references. For instance, the letter “a” looks the same in the English language as well as Russian. It’s this concept that can be used to trick users into falling for a phishing attack. Specifically, this attack is referred to as an Internet Domain Name (IDN) homographic attack.
Unicode Characters and Languages
Before going into the details of an IDN homograph attack, you should first understand the way Unicode translates to letters on the screen. A good example to use is a comparison of Cyrillic letters in the Russian language compared to Latin letters in the English language. In any language, Unicode is the computer code used to create letters that you see on the screen.
Several letters in English look the same in other languages, but the lowercase “a” can be used as an example of homographs. In Latin and in Russian, the lowercase “a” character looks the same, but the Unicode characters used to display them are different. In Latin, the character “a” has a Unicode value of “0061.” In Russian, the character “a” has a Unicode value of “0430.” Because the Unicode values are different, a computer sees these two characters as distinct letters, even though they look the same onscreen.
Using homographic letters, the domain “paypal.com” could have four different Unicode values based on the possible variations with the letter “a.” It’s these “lookalike” alternatives that are used in an IDN homographic attack.
Homographs with Multiple Characters
Using different Unicode characters isn’t the only way to trick users and perform an IDN homograph attack. Some letters look like others when adjacent to each other. For instance, the letters “rn” look like the letter “m” when they are combined. For users not paying attention, they could quickly look at the domain and see “m” when the domain has an “rn” combination.
As an example, you could have a business domain named “example.com.” An attacker can register the domain “exarnple.com” and some users will be tricked into opening the site. This IDN homograph attack requires users who briefly see the domain and don’t recognize the typo, but it’s still an extremely effective way to phish user credentials.
When users access the site, an attacker would be sure to use the same layout, graphics, and text as your official site. Provided the user does not notice the typo in the domain name, an attacker can trick targeted users into entering credentials, private data, and any other information that can be used for identity theft, advanced persistent threats on the corporate network, or data breaches.
Phishing with Homograph Attacks
Now that you know that characters can look the same but have different computer values, apply this to a standard domain name. If you see “paypal.com” in your browser, it will look the same if the “a” characters were in Russian or in English. However, since you know that these letters have different Unicode values, they translate to different domain names and different ones and zeros in binary.
Hackers use this phenomenon to trick users into accessing a phishing site with the same look and feel as the official site. Using the “paypal.com” example, an attacker can register “paypal.com” using Cyrillic letters for the “a” characters and then copying the official PayPal’s website content including layout. Users who click the malicious phishing domain will see “paypal.com” in their browser, see the PayPal layout when the page loads, and then enter their PayPal account credentials.
The way an attacker delivers the malicious URL is similar to any other phishing attack. The URL could be delivered in an email. Since the domain name would be legitimate, an attacker could send email using the homographic domain name. Email filters that detect spoofed email addresses would not label these messages as malicious, as they would be using a legitimate email domain.
What You Can Do to Protect from IDN Homograph Attacks
It’s very expensive to purchase every possible domain name that could be used in this type of attack, but you can take steps to prevent internal users from falling for it. The first one is to implement two-factor authentication (2FA). Should a user fall for a phishing scam on a homographic domain, the attacker would still be unable to authenticate into the compromised account.
If you have authentication pages on your site, artificial intelligence using third-party libraries can be used to determine if there was a possible account breach. For instance, suppose your users are located in the US but an authentication attempt happened from another country. This could be a sign that the user’s account was compromised. Attackers can use public VPN, but you can also purchase databases with lists of VPNs to get notification if the anonymous attacker is implementing ways to hide their IP address.
User training also helps stop phishing and social engineering attacks. Users should never just click a link and then send authentication information. Instead, any activity that requires authentication should be done after the user types the domain into a browser window. Only then should the user enter authentication details. This method ensures that users are never victim of phishing from emails or any other malicious links on the internet.
Unfortunately, email filters will not be effective against this type of attack unless the malicious domain is on a list that can be downloaded with some anti-malware systems. Email filters are good at detecting phishing, but they usually run on specific anti-spoofing techniques. With homographic domains, the domain is legitimate and no spoofing is necessary.
Content filters use a list of malicious domains to block user access. Some homographic domains could be on a list and will be filtered out if you restrict user access based on these blacklisted domains. However, since attackers use domains in other languages, any filters that work in English won’t detect them. When choosing a filter, make sure they include homographic domains.
IDN homographic attacks are difficult to defend against, but users can be trained to never click links and enter authentication credentials. User training is the best method to avoid becoming a victim of this attack.