Homograph attacks: How hackers exploit look-alike domains
Several years ago, a security researcher discovered a vulnerability in Google Chrome that allowed fake domains to bypass the browser’s security measures. The researcher registered a domain that appeared as “xn--80ak6aa92e.com” but displayed as “apple.com” in the browser, demonstrating how easy it was to deceive users. This is just one example of what’s known as a homograph attack, or sometimes a ‘look-a-like domain’.
Homograph attacks exploit the similarity between characters from different alphabets to create domain names that look identical to legitimate ones, tricking even more cautious users. From mimicking well-known brands to impersonating financial institutions, homograph attacks pose a significant risk and are worth identifying. We’ll run through the mechanics of these attacks and offer practical steps you can take to protect your organization.
What are homograph attacks?
A homograph attack is a type of phishing technique where attackers exploit the similarities in character appearance to deceive users. For example, in Unicode the Cyrillic “а” (U+0430) looks identical to the Latin “a” (U+0061). They might use characters from different alphabets that look similar to create domain names that appear legitimate but are actually malicious. When users click on these deceptive links, they are directed to malicious websites that can steal their credentials or infect their devices with malware.
This can trick users into visiting fake websites or downloading harmful software, thinking they are interacting with a trusted source. If your internal end users are targeted by a homograph attack, the risks can be significant. They might inadvertently enter sensitive information, such as login credentials, financial data, or personal details, on the attacker’s fake website that can be used to launch further attacks.
If attackers are impersonating your organization, they may also trick potential customers or business partners and damage your reputation.
Features of homograph attacks to watch out for
- Unicode characters: Homograph attacks often exploit the use of Unicode characters in Internationalized Domain Names (IDNs). These characters can look very similar to standard ASCII characters, making it difficult for users to distinguish between legitimate and malicious domains.
- Punycode: IDNs are often encoded in Punycode, a format that represents Unicode characters in ASCII. For example, a domain like “exаmple.com” (where “а” is a Cyrillic “a”) might be encoded as “xn--exmple-9cf.com”. Understanding and recognizing Punycode can help in identifying potential homograph attacks.
- Prepackaged phishing kits: Attackers often use pre-packaged phishing kits that include templates, scripts, and tools to create convincing homograph domains and phishing pages. These kits can be purchased on the dark web, making it easier for less technically skilled attackers to carry out homograph attacks.
- Trust exploitation: Homograph attacks often rely on social engineering techniques to trick users. By mimicking trusted brands or organizations, attackers exploit the trust users have in these entities, making the attacks more effective.
How does a homograph attack play out?
A homograph attack can play out in several ways, but here’s a typical step-by-step scenario:
- Domain registration: The attacker registers a domain name that looks very similar to a legitimate, well-known website. As a straightforward example, they might register “g00gle.com” instead of “google.com,” where the letter “o” is replaced with the number “0.”
- Phishing: The attacker sends a phishing email to potential victims. The email might appear to come from a trusted source, such as a bank or a popular service. The email contains a link that looks legitimate but actually leads to the attacker’s malicious site.
- User interaction: The victim clicks on the link, believing it to be safe. The malicious site is designed to look identical to the legitimate site, complete with a similar layout, logo, and content.
- Data theft: Once on the fake site, the victim might be prompted to enter sensitive information, such as login credentials, credit card details, or personal data. The attacker captures this information and uses it for fraudulent activities.
- Malware distribution: In some cases, the fake site might also distribute malware. When the victim clicks on certain links or downloads files, they unknowingly install malicious software on their device.
- Further exploitation: With the stolen information or access to the victim’s device, the attacker can perform additional malicious activities, such as identity theft, financial fraud, or further spreading of malware.
How to identify and prevent homograph attacks?
Identifying and preventing homograph attacks could be crucial for maintaining the security and trust of your organization. Here are the most important and effective ways to do so:
- User education and training:
- Regular training: Conduct regular cybersecurity training sessions to educate employees about homograph attacks and how to recognize them.
- Phishing simulations: Run phishing simulations to test and improve employees’ ability to identify suspicious emails and links.
- URL verification: Train users to verify URLs by looking for HTTPS and checking the domain name carefully. Encourage them to type URLs directly into the browser rather than clicking on links in emails.
- Multi-factor authentication (MFA):
- Implement MFA: Require multi-factor authentication for all user accounts to add an extra layer of security beyond just usernames and passwords.
- Domain monitoring:
- Monitor for similar domains: Use domain monitoring services to detect and block suspicious domain registrations that closely resemble your organization’s domain.
- Brand protection services: Utilize brand protection services that can help identify and take down malicious domains.
- Domain takedown: If you discover a homograph domain being used for malicious purposes, you can report it to the domain registrar or use legal means to have it taken down.
- Security tools and software:
- Browser extensions: Encourage the use of browser extensions that can detect and block homograph attacks.
- Security software: Deploy advanced security software and firewalls that can identify and block malicious traffic.
- Browser Settings: Some web browsers have settings that can help mitigate homograph attacks. For example, you can configure your browser to always display Punycode instead of Unicode for IDNs.
- DNS Security Extensions (DNSSEC): Implementing DNSSEC can help verify the authenticity of DNS data, making it harder for attackers to redirect traffic to malicious sites.
- Email filtering:
- Advanced email filters: Use advanced email filtering solutions to detect and block phishing emails that contain homograph URLs.
- SPF, DKIM, and DMARC: Implement Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to enhance email security.
- Regular security audits:
- Vulnerability assessments: Conduct regular vulnerability assessments and penetration testing to identify and address potential security weaknesses.
- Security policies: Ensure that security policies are up-to-date and that all employees are aware of and follow them.
- Incident response:
- Develop a plan: Create a comprehensive incident response plan that includes procedures for detecting, responding to, and recovering from homograph attacks.
- Regular drills: Conduct regular incident response drills to ensure that the organization is prepared to handle security incidents effectively.
- Post-incident analysis: After a homograph attack, conduct a thorough post-incident analysis to understand how the attack succeeded and what can be improved in your defenses.
- User support: Provide clear and immediate support to users who may have been affected by the attack, including steps to secure their accounts and monitor for any signs of fraud.
EASM tools and domain discovery
Getting visibility over your external attack surface is more crucial than ever. External Attack Surface Management (EASM) tools help organizations identify and monitor every component of their attack surface can seem overwhelming – including unknown assets. Outpost24’s AI-enhanced EASM tool includes a domain discovery, which finds all of an organization’s domains and subdomains, plus the assets associated with them. This helps to:
- Analyze and triage their discovered candidate domains
- Discover domains they are likely to own
- Discover domains that might be suspicious such as homograph domain
- Swiftly identify and flag any anomalies or unauthorized domains
Map your organization’s attack surface
Discover and secure your digital assets with Outpost24’s EASM solution. Its advanced domain discovery feature helps identify and mitigate homograph attacks, ensuring your online presence is protected. Book your free attacks surface analysis.
FAQs
A homograph attack is where cybercriminals create domain names that look very similar to legitimate ones, often by using characters from different alphabets that appear identical to the human eye.
To protect yourself from homograph attacks, always double-check the URL in your browser’s address bar to ensure it matches the expected domain. Configure your web browser to display Punycode instead of Unicode for IDNs, making it easier to spot suspicious domains. Consider investing in an EASM tool with a domain discovery feature.
If you suspect a homograph attack, avoid clicking on any suspicious links or entering any personal information. Notify your organization’s IT or security team immediately. If the attack is targeting a personal account, report it to the relevant service provider.
About the Author
