New Homoglyph Tricks Let Cybercriminals Mimic Trusted Domains

New homoglyph attack techniques exploit subtle visual similarities in text to spoof trusted domains, steal credentials, and bypass Unicode handling weaknesses in security tools.

By abusing Internationalized Domain Names (IDNs), Punycode encoding, and Unicode “confusables,” attackers register domains that appear legitimate in the browser bar but resolve to attacker-controlled infrastructure.

A classic example uses Latin ‘a’ (U+0061) versus Cyrillic ‘а’ (U+0430), or Latin ‘o’ (U+006F) versus Greek omicron ‘ο’ (U+03BF); in most fonts, users cannot distinguish them.

When these characters are swapped into domains, filenames, or display names, humans and sometimes naive Unicode filters interpret them as the original brand.

In the DNS world, Punycode encodes deceptive Unicode domains like those containing Cyrillic ‘а’ into ASCII xn— labels, though browsers typically re-render them as Unicode.

According to the report, Homoglyph attacks leverage characters that visually mimic others but differ in Unicode code points, often from disparate scripts like Latin, Cyrillic, Greek, or Armenian.

Modern browsers apply heuristics (e.g., script checks, TLD policies) to decide Unicode vs Punycode display, but homograph attacks remain viable in many locales and edge cases.

New Homoglyph Tricks

Attackers now automate generation of confusable brand variants and bulk-register IDNs that bypass registrar checks, often obtaining free TLS certificates from services like Let’s Encrypt.

These lookalike domains target users via spear-phishing, fake login portals, malware download sites, and brand-impersonating links in ads or chat messages.

Beyond domains, homoglyphs appear in package names, repositories, and usernames, confusing developers and users into trusting malicious code or fake corporate accounts.

On the technical side, adversaries exploit Unicode normalization quirks (NFC/NFKC), confusable mappings from the Unicode Consortium, and bidirectional override controls to manipulate rendering versus storage.

This means naive string comparisons, allowlists based solely on visible labels, or logs lacking normalization may all miss deceptive characters.

Homoglyph domains heavily appear in credential harvesting and financial fraud, where phishing emails link to login pages indistinguishable from real banking or SaaS portals.

In business email compromise, attackers combine deceptive display names with subtly altered domains to trick employees into approving payments or sharing data without inspecting headers.

Fake download portals on homoglyph domains push malware that evades reputation-based blocking by using freshly registered domains.

These map to MITRE ATT&CK techniques: spearphishing links for initial access (T1566.002), reconnaissance on brands/infrastructure (T1593), domain acquisition (T1583.001), and masquerading (T1036).

Once credentials are stolen, attackers progress to credential access and fraud, using homoglyph infrastructure as an initial foothold.

Why defences still fail

Many organizations treat Unicode as an edge case, so email gateways and web proxies may not normalize or flag mixed-script domains, allowing homograph URLs through.

Certificate checks can be misleading; modern PKI issues valid certificates without distinguishing legitimate from deceptive domains.

Even when browsers show Punycode for suspicious IDNs, users trust visual cues and rarely understand xn— labels or script differences.

Security pipelines often log raw strings, not normalized forms, breaking detection of campaigns using slight confusable variations.

Mixed-script detection exists as tools, but they are rarely integrated into SIEM rules, URL rewriting, or SSO controls by default.

Robust defence starts with policy: forbid mixed-script IDN use, and proactively register lookalike domains for critical brands.

At the technical layer, security should normalize Unicode, highlight/IDNs in Punycode, and treat xn— domains as high-risk until reviewed.

DNS security should track newly registered lookalike domains, while certificate transparency alerts can flag suspicious brand-variant certificates.

Solutions like Quick Heal / Seqrite increasingly incorporate URL reputation, IDN awareness, and phishing detection that goes beyond simple matching.

Organisations should also add homoglyph-aware phishing simulations, clear user training, and strong multi-factor authentication.

Layered controls significantly raise the cost of homoglyph-based spoofing by combining technical measures with user vigilance.

Related Articles

Back to top button