What is a Homograph Attack?
Homograph attacks exploit internationalized domain names (IDN), which allow non-ASCII characters in URLs. Attackers register domains using Cyrillic, Greek, or other alphabet characters that look identical to Latin letters when displayed. For example, Cyrillic ‘а’ and ‘е’ appear identical to Latin ‘a’ and ‘e’, allowing “apple.com” (legitimate) versus “аррӏе.com” (Cyrillic lookalike) that displays identically in browsers. Other techniques include using characters like zero for O, or l (lowercase L) for I (uppercase i). These lookalike domains pass through many security filters since they’re technically different domains with proper SSL certificates.
Users examining the URL visually see the legitimate brand name, making detection extremely difficult. Browsers have implemented some protections, but sophisticated attackers find workarounds.
Business Impact
Homograph attacks enable highly effective phishing campaigns because URLs appear completely legitimate even under scrutiny. Users trained to check URLs before clicking or entering credentials are still vulnerable. Organizations face challenges detecting and combating homograph domains since automated tools may not catch all variations, and the number of possible combinations is enormous. These domains are used for credential theft, malware distribution, and fraud. The technical sophistication means less security-aware users have virtually no chance of detection.
Allure Security's Approach
Protecting against homograph attacks requires monitoring for internationalized domain registrations that target your brand, implementing browser and email security controls that detect homograph domains, and rapid takedown of discovered lookalikes. Automated detection must account for multiple alphabets and character substitutions.