IDN Homograph attack:
what is it and how to recognize it?

On our daily life, we are used to type and browse hundreds if not thousands of domain names per year and by a large portion these domain names are as simple as google.com, yahoo.com or wikipediа.org. But what if I tell you that you probably haven’t ever visited wikipediа.org at all in your whole life? Perhaps you browse daily wikipedia.org rather than wikipediа.org. No jokes here, they are simply two different domain names that can constitute a so-called IDN Homograph attack.

What is a IDN domain name?

An Internationalized Domain Name, as wikipedia states:

“is an Internet domain name that contains at least one label that is displayed in software applications, in whole or in part, in a language-specific script or alphabet, such as Arabic, Chinese, Cyrillic, Tamil, Hebrew or the Latin alphabet-based characters with diacritics or ligatures, such as French. These writing systems are encoded by computers in multi-byte Unicode. Internationalized domain names are stored in the Domain Name System as ASCII strings using Punycode transcription.”

What this basically mean is that an IDN domain name can contain special characters written in Japanese, Russian, Chinese, Hebrew and many others. Example of these are 名がドメイン.com or detrèsbonsdomaines.com.

Without getting too much in details about IDN domain names, you only need to know that these are perfectly understood by your browser, so you may even register and make use of one of them like any other domain.

What is a homograph attack?

Remember the two “wikipedia.org” cases above? What you were proposed in the first paragraph was a homographically written domain name of Wikipedia.

In the first version of “wikipediа.org”, in fact, the “a” latin letter is substituted with the Cyrillic letter “a”.

 

Example of IDN Homograph Attack

Example of IDN Homograph Attack

 

Those letters are basically identical on Latin and Cyrillic characters sets so it is impossible to distinguish between the correct and homograph equivalent version written with Cyrillic characters. If you copy paste the first version in your browser, you will notice that it will inform you the domain name “xn--wikipedi-86g.org” is not resolvable. This, in fact, is how IDN domains registered and resolved (called Punycode encoding), leaving it to your browser to show you the nicely written form (“wikipediа.org”). When the domain name doesn’t exists, Google Chrome will show you the full name as per RFC1035 standards.

What are the risks of a homograph attack?

Homograph attacks can be using by phishing websites to steal users information, such as username and passwords, by pretending to be the official version of a website. Visitors will then believe in the legitimacy of the website by looking at the domain name and will provide their confidential information as they would do normally on any other trusted website.

How can you recognize a homograph attack?

Our first advice is to turn off IDN support on your browser unless you have a need for it. In fact, the number of IDN domains is relatively small and we believe you may just give away that small portion of the Internet.

If you still prefer using IDN, we recommend you staying always up-to-date with browsers’ releases.
Most of the actual browsers, in fact, display the domain name in Punycode if this mixes two or more encodings. In our example, using both Latin and Cyrillic, most recent and updated browsers like Opera, Google Chrome, Internet Explorer, Firefox, Edge will present you the website as “xn--wikipedi-86g.org” so that is clear to you that the domain you followed is a homograph version of wikipedia.org.

Additionally to this, bear in mind that various TLD (Top-Level Domain) names don’t allow the use of mixed encodings on domain names, preventing de facto this issue. Also, known trustable CAs (Certificate Authorities) such as Comodo won’t issue any SSL Certificates if they use brand names or if a suspected homographic version of a known domain name is requested.

Not sure? Check the domain here!

Want to be 100 % sure of the domain you are dealing with is safe? Try out our IDN checker by typing the domain name in the box below: