Years ago when I was teaching college composition, a student showed me a draft of an essay that contained some clearly inaccurate statistics on her topic. When I pointed them out, she assured me they came from a reliable source, ABC News. Knowing the information was inaccurate—this was a popular topic I’d had students write on before, so I’d read multiple sources on it—I asked her to pull up the article on her laptop. I thought maybe she simply mixed up the numbers and reviewing the article would help us fix her error.

She pulled up the website and I immediately knew it wasn’t reliable. Like so many fake news websites, it was littered with typos and grammar mistakes. However, it looked professional. It had the ABC News logo, glossy photos, multiple articles on real current events. It even had the correct URL…almost.

It took a few minutes of confusion before I noticed the URL my student was using contained some extra information, abcnews.com.co instead of simply abcnews.com. Clearly, this wasn’t the website my student thought she was using, but what exactly was happening here?

Homograph Attacks: When What Looks Right Is Actually Wrong

What my student and I had encountered is called a homograph attack. It also goes by idn homograph attack, homographic domain attack, homoglyph attack, and script spoofing, as well as others. Regardless of what you call it, the attack is simple to execute and hard to detect, especially if you’re unfamiliar with this kind of entrapment.

It starts when a malicious actor registers a domain that looks very similar to a real website. The actor then obtains a valid SSL/TLS certificate that gives their website the https prefix. The S in https stands for security and indicates to users that data exchanged on that website is more secure than data exchanged on a regular http website. This makes the website look credible to visitors, even though an SSL/TLS certificate can be obtained for free with little effort.

Simple homograph attacks rely on URLs that look very similar to the real website. A common example might be “faceboook.com” versus the original “facebook.com,” or “iinstagram.com” versus the original “instagram.com.” At first glance, many users fail to register these small typos and click through to the wrong website. But once you’re aware of this type of attack, it’s easy enough to avoid in future.

However, more sophisticated attacks can be much more difficult to detect. Some bad actors rely on Unicode to insert non-Latin writing characters into their websites’ URLs. Sometimes these characters, which usually come from Cyrillic or Greek, can look similar to the Latin letters used by English speakers, but other times the unfamiliar characters will be translated into English using a tool called Punycode so that they look like Latin letters. (If this is confusing, Malwarebytes has a helpful table that shows characters in Cyrillic that look similar to Latin characters.)

As Cecilia Pastorino of WeLiveSecurity explains, “it is possible to register a domain name such as ‘xn--pple-43d.com,’ which is interpreted by the browser as ‘apple.com,’ but is  actually written using the Cyrillic character ‘а’ (U+0430) instead of the ASCII ‘a’ (U+0041). While both characters look the same to the naked eye, for the purpose of browsers and security certificates these are two different characters, and so represent different domains.” 

The result is a URL that looks 100% correct to human eyes and can be almost impossible to detect.

What Is The Purpose Of Homograph Attacks?

Many homograph attacks are phishing attacks. They want users to land on the site and enter personal information that can be harvested and used by the attackers. Other times, downloads on these fake sites introduce malware to users’ systems that can be used to track user behavior or harvest information that can be used or sold. 

Protecting Yourself From Attacks You Can’t See

There are a few steps at the browser level that you can take to protect yourself from homograph domain attacks. First, always keep your browser updated. Updates contain important security patches and new features that help you stay safe online. If it’s been a while since you’ve reviewed your settings, check out our post “Web Browser Security: Why It Matters And How To Improve It” for tips on improving your browser security.

Chrome, Firefox, and Safari are all set to show URLs in Unicode if the URL uses characters from two or more different writing systems, which can help users see the differences between Latin characters and similar non-Latin characters. This doesn’t always work perfectly, but it will block the majority of attacks which are launched by less sophisticated bad actors. Another option in Firefox is to set the option “network.IDN_show_punycode” to true so that characters in URLs will always show in Punycode form.

Other general internet security protocols also apply:

• Email: Don’t click on links within emails before inspecting it. Hover your cursor over the link to see what information displays, and check the spelling carefully. You can also change your email filters to block more junk mail, which will prevent some of these attacks from reaching you.
• Social Media: Again, don’t click on links before you have investigated them. Be careful of links on ads that might show up in your newsfeed. Also be wary of links that your friends share without commenting on them since these links might have actually been shared by hackers. 
• Antivirus Software: This really should go without saying, but use reliable antivirus software. There are some great free options like Avast and Bitdefender that provide the basic coverage everyone should have and are easy to use. The kindly people at PC Mag have compiled a list of the ten best free antivirus software tools of 2020. If you’re cruising the internet unprotected, check out their site and install the protection you know you need. Also, keep your antivirus software updated so it will be as effective as possible.
• Check Links: If you are suspicious of a link, don’t click on it. Instead, copy and paste it into a site like Punycode Converter or one of these link checking sites to find out if the site has a history of malware or phishing attempts. You can also install a browser plugin like Avast Online Security or that will check sites as you browse the web, alerting you to suspicious sites you encounter. You can learn about more browser security plugins here.

With a little common sense and attention to detail, you can avoid falling for most online scams. But with homograph attacks, the key is being aware that they exist. Thankfully, internet browsers and antivirus tools are developing better defenses against these kinds of attacks. It’s just up to users to take advantage of the protections that are available to them.

If you’re concerned about internet security for your business, consider using a business VPN to protect the data you exchange across networks. Coupled with a strong endpoint security strategy, you can protect against data leaks and network security threats whether your employees are sitting in your office or working from home on their couch.

Employing knowledgeable, certified cybersecurity specialists can be expensive, but for many small or medium-sized businesses, the costs can be prohibitive. Yet the consequences of substandard security can destroy businesses through data breaches, fines, and the loss of client trust. This is why TracSoft’s managed IT services are so essential to our clients. Our expert team offers 24/7 security monitoring to businesses just like yours. With over twenty years of experience using industry-leading software, we are the IT specialists you can count on. Contact us today to build a customized security plan for your business.