Internationalised domain names (IDNs) allow users to register domain names in almost any written language, enabling today’s global internet to become more multilingual. However, non-Latin script Unicode characters are making it easier for cybercriminals to register domain names for phishing websites. This website phishing technique, known as a homograph attack or IDN spoofing, is nothing new but reports indicate it’s a growing problem. If your domain isn’t being monitored, your brand is unprotected and may be at risk.
Unicode confusables key to homograph attacks
Farsight Security, the world’s largest provider of DNS data, has reported that between May 2017 and April 2018, nearly 36,000 domains were used to imitate 466 top brands with lookalike domains which used confusable characters. These brands came from diverse industries, ranging from banking to retail to technology. 91 percent of these IDNs were considered “confusable”.
IDNs represent characters in scripts other than Latin. Like other domains, IDNs rely on Unicode, which is the standard for digital representation of all the world’s languages. However, the key to a homograph attack is a specific Unicode formula known as Punycode. Punycode converts non-Latin script characters into code that is readable by DNS. For example, españa.com converted by Punycode creates the domain xn-espaa-rta.com. DNS will have no trouble recognizing xn-espaa-rta.com as it does not contain any non-Latin characters.
The problem, though, is that letters from different alphabets can look the same in different languages. These are called “confusables”. Confusables are nearly undetectable to users, email clients, or web browsers.
To an untrained eye, there is no problem. But look closely at the “o” above “tower” and you’ll see a small diacritic mark – “ȯ” – which is used in some languages so, therefore, supported by Unicode.
This is the kind of small language script change that fraudsters rely on. They trick you into thinking you’re seeing one thing but, in reality, they’re redirecting you to a lookalike phishing site.
Combatting homograph attacks is everyone’s responsibility
ICANN (Internet Corporation for Assigned Names and Numbers) has taken steps to fight homograph attacks. Its Guidelines for the Implementation of Internationalized Domain Names provides registries and registrars with rules designed to help restrict the prevalence of homograph attacks and keep brands protected. Unfortunately, Farsight’s research indicates not everyone is adhering to the rules.
Many browsers have also responded to the growing threat of homograph attacks by providing warnings to users about potential Punycode lookalikes.
Notice how in both examples the website address is converted to Punycode, “xn--80a7a.com” so visitors better understand this is a lookalike site. It is not the actual “.ca.com” site they are searching for. It is, instead, one using the Cyrillic “a” to trick users.
But what about outside browsers where such warning don’t exist? Users have a number of options:
- Don’t click on suspicious-looking links in emails, especially from senders you don’t know.
- See if your email client has the option to disable links altogether from incoming emails.
- Changing the junk filter level will significantly remove the number of malicious incoming emails.
- For both email and social media links, use a link checker (there are a number of them out there) to verify it.
Domain monitoring tools will help keep your brand protected
Of course, EBRAND is here to help eliminate threats which could undermine your brand name.
We use brand protection tools to monitor new domain name registrations, quickly identifying domains which are identical or confusingly similar to your brand, corporate name, or trademark. We identify who the infringing third party is. When necessary, we take legal action to stop third parties from infringing on your domain.
For more information about how we can help keep your domain name out of the hands of others, get in touch with one of our support agents. We are committed to making sure your brand name is never used by malicious third parties intent on unleashing the next big homograph attack.
