What is a Homoglyph Attack?
A homoglyph attack (also called a homograph attack or visual spoofing attack) is a sophisticated phishing technique where attackers register domain names using characters that visually resemble legitimate characters. For example, using "rn" to mimic "m" (rnicrosoftcom vs microsoft.com) or substituting Cyrillic "а" (U+0430) for Latin "a" (U+0061). These attacks exploit human visual perception limitations to deceive users into visiting malicious websites.
Common Homoglyph Substitutions
ASCII-Based Substitutions
| Original | Spoofed | Visual Effect |
|---|---|---|
| m | rn | "rn" looks like "m" |
| w | vv | "vv" resembles "w" |
| l (lowercase L) | 1 (one) | Nearly identical |
| O | 0 | Often confused |
| cl | d | Combined resemblance |
Unicode/IDN Substitutions
| Latin | Cyrillic | Unicode Points |
|---|---|---|
| a | а | U+0061 vs U+0430 |
| e | е | U+0065 vs U+0435 |
| o | о | U+006F vs U+043E |
| p | р | U+0070 vs U+0440 |
| c | с | U+0063 vs U+0441 |
How Homoglyph Attacks Work
Attack Methodology
1. Target identification: Attacker selects high-value brand domain
2. Character analysis: Identify substitutable characters
3. Domain registration: Register visually similar domain
4. Website cloning: Copy legitimate site's appearance
5. Distribution: Send phishing emails with spoofed links
6. Credential harvesting: Capture user logins on fake site
Real-World Example
Legitimate: apple.com
Spoofed: аррӏе.com (uses Cyrillic а, р, ӏ, е)
app1e.com (uses number 1 for l)
appIe.com (uses capital I for l)
Technical Defense Mechanisms
Browser Protections
Modern browsers implement IDN homograph protections:
- Display punycode (xn--) instead of Unicode for suspicious domains
- Show warnings for mixed-script domain names
- Block known homoglyph patterns
Punycode Conversion
IDN domains are converted to ASCII-compatible encoding:
Unicode: аррӏе.com
Punycode: xn--80ak6aa92e.com
DNS-Level Protections
- Some registries restrict IDN character sets
- Confusable character blocking policies
- Same-registrant requirements for similar domains
Detection and Prevention
For Users
1. Examine URLs carefully: Hover over links before clicking
2. Use bookmarks: Navigate to sensitive sites via saved bookmarks
3. Check certificates: Verify SSL certificate organization names
4. Enable browser protections: Keep browsers updated
5. Use password managers: They won't autofill on spoofed domains
For Organizations
1. Register defensive domains: Acquire common homoglyph variations
2. Implement DMARC: Email authentication prevents spoofed sender domains
3. Monitor for lookalikes: Use brand monitoring services
4. Employee training: Educate staff on visual spoofing risks
5. Report abuse: Submit takedown requests for discovered fakes
Brand Protection Strategies
Organizations should proactively defend against homoglyph attacks:
- Domain portfolio expansion: Register Unicode variants of brand domains
- Trademark monitoring: Watch for infringing registrations
- Automated detection: Deploy tools scanning for visual lookalikes
- Legal action: UDRP proceedings for trademark-infringing domains
- Customer communication: Educate customers about official domains
Homoglyph attacks represent a persistent security threat exploiting the gap between human visual perception and technical character encoding. Comprehensive defense requires both technical controls and user awareness.