Posted on March 25, 2021

What is an IDN Homograph Attack and How is It Used in Phishing?

When typing letters on a computer, you recognize characters based on the way they display, but computers recognize characters based on ones and zeros (binary). Every character you see on the screen has a matching Unicode reference, and some of these characters look the same in different languages, even though they have different Unicode references. For instance, the letter “a” looks the same in the English language as well as Russian. It’s this concept that can be used to trick users into falling for a phishing attack. Specifically, this attack is referred to as an Internet Domain Name (IDN) homographic attack.

Unicode Characters and Languages

Before going into the details of an IDN homograph attack, you should first understand the way Unicode translates to letters on the screen. A good example to use is a comparison of Cyrillic letters in the Russian language compared to Latin letters in the English language. In any language, Unicode is the computer code used to create letters that you see on the screen.

Several letters in English look the same in other languages, but the lowercase “a” can be used as an example of homographs. In Latin and in Russian, the lowercase “a” character looks the same, but the Unicode characters used to display them are different. In Latin, the character “a” has a Unicode value of “0061.” In Russian, the character “a” has a Unicode value of “0430.” Because the Unicode values are different, a computer sees these two characters as distinct letters, even though they look the same onscreen.

Using homographic letters, the domain “paypal.com” could have four different Unicode values based on the possible variations with the letter “a.” It’s these “lookalike” alternatives that are used in an IDN homographic attack.

Homographs with Multiple Characters

Using different Unicode characters isn’t the only way to trick users and perform an IDN homograph attack. Some letters look like others when adjacent to each other. For instance, the letters “rn” look like the letter “m” when they are combined. For users not paying attention, they could quickly look at the domain and see “m” when the domain has an “rn” combination.

As an example, you could have a business domain named “example.com.” An attacker can register the domain “exarnple.com” and some users will be tricked into opening the site. This IDN homograph attack requires users who briefly see the domain and don’t recognize the typo, but it’s still an extremely effective way to phish user credentials.

When users access the site, an attacker would be sure to use the same layout, graphics, and text as your official site. Provided the user does not notice the typo in the domain name, an attacker can trick targeted users into entering credentials, private data, and any other information that can be used for identity theft, advanced persistent threats on the corporate network, or data breaches.

Phishing with Homograph Attacks

Now that you know that characters can look the same but have different computer values, apply this to a standard domain name. If you see “paypal.com” in your browser, it will look the same if the “a” characters were in Russian or in English. However, since you know that these letters have different Unicode values, they translate to different domain names and different ones and zeros in binary.

Hackers use this phenomenon to trick users into accessing a phishing site with the same look and feel as the official site. Using the “paypal.com” example, an attacker can register “paypal.com” using Cyrillic letters for the “a” characters and then copying the official PayPal’s website content including layout. Users who click the malicious phishing domain will see “paypal.com” in their browser, see the PayPal layout when the page loads, and then enter their PayPal account credentials.

The way an attacker delivers the malicious URL is similar to any other phishing attack. The URL could be delivered in an email. Since the domain name would be legitimate, an attacker could send email using the homographic domain name. Email filters that detect spoofed email addresses would not label these messages as malicious, as they would be using a legitimate email domain.  

What You Can Do to Protect from IDN Homograph Attacks

It’s very expensive to purchase every possible domain name that could be used in this type of attack, but you can take steps to prevent internal users from falling for it. The first one is to implement two-factor authentication (2FA). Should a user fall for a phishing scam on a homographic domain, the attacker would still be unable to authenticate into the compromised account.

If you have authentication pages on your site, artificial intelligence using third-party libraries can be used to determine if there was a possible account breach. For instance, suppose your users are located in the US but an authentication attempt happened from another country. This could be a sign that the user’s account was compromised. Attackers can use public VPN, but you can also purchase databases with lists of VPNs to get notification if the anonymous attacker is implementing ways to hide their IP address.

User training also helps stop phishing and social engineering attacks. Users should never just click a link and then send authentication information. Instead, any activity that requires authentication should be done after the user types the domain into a browser window. Only then should the user enter authentication details. This method ensures that users are never victim of phishing from emails or any other malicious links on the internet.

Unfortunately, email filters will not be effective against this type of attack unless the malicious domain is on a list that can be downloaded with some anti-malware systems. Email filters are good at detecting phishing, but they usually run on specific anti-spoofing techniques. With homographic domains, the domain is legitimate and no spoofing is necessary.

Content filters use a list of malicious domains to block user access. Some homographic domains could be on a list and will be filtered out if you restrict user access based on these blacklisted domains. However, since attackers use domains in other languages, any filters that work in English won’t detect them. When choosing a filter, make sure they include homographic domains.

Conclusion

IDN homographic attacks are difficult to defend against, but users can be trained to never click links and enter authentication credentials. User training is the best method to avoid becoming a victim of this attack.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trusted by Clients Across All Industries

Don’t take our word for it - let our happy clients do the talking. See More

Full Host did an amazing job of migrating my site seamlessly onto their server. My only regret was not switching my site over to them sooner. Now it is performing great, images are uploading way faster than ever before.

" Vancouver Sofa and Patio - Jerry Schmidt

Two thumbs up for Fullhost! Agents reply to me fairly quickly or at least let me know they received the ticket and are looking into it. Kudos to the support team as they have always given me exactly what I need without delays.

" Universal Staffing Inc. - Anthony Calvano

FullHost is an absolute pleasure to work with, and their customer service is exceptional. Whenever I have questions or need adjustments, they are there to help, quickly, efficiently, with answers and insights.

" Mooseworld Inc. Norine Leibel

The Fullhost team was a huge help in getting the website moved over and set up in a way in which we could correct the technical issues. They were quick, helpful and technically knowledgeable.

" Canadian Sport Institute Pacific Noah Wheelock

Our organization Has been working with FullHost for a couple of years now, and we have been thrilled with the service.

" Canadian Centre for International Justice / Philippe Kirsch Institute Pearl Eliadis

Exceptional is the word when it comes to FullHost. I started my own business and in the jungle of applications, licenses and registrations, FullHost had my back.

" Statsmen Matthias Bass

The customer service and support staff that I have dealt with have all been great. The move from my previous host was smooth thanks to the support staff at Full Host who moved my files over.

" Moose Web Design - Michelle Nortje

With coast to coast coverage,
We help you serve the world.

Whether your audience is located in Europe, Asia, Africa, or Australia, provide them with lightening speed!

FullHost's data centers are located in Toronto and Vancouver to ensure worldwide quality and speed.

Get in Touch
We Trust Only The Best Tech to Support You

FullHost operates with the most innovative technology to bring you unparalleled levels of hosting services.