Full Report
Homoglyph Attacks: How Lookalike Characters Are Exploited for Cyber Deception Table of Contents: Introduction What is a Homoglyph Attack? Practical Homoglyph Confusable Practical Homoglyph Confusable Table Why Homoglyph Attacks Are Effective Common Homoglyph Use Cases and Attack Vectors Real-World Examples and Campaign Patterns Technical Deep Dive — Unicode, IDNs, and Punycode Unicode and Scripts IDNs […] The post Homoglyph Attacks: How Lookalike Characters Are Exploited for Cyber Deception appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Tool/Technique: Homoglyph Attack (IDN Homograph Attack)
## Overview
A homoglyph attack is a visual deception technique where an attacker uses lookalike characters from different scripts (Unicode) to impersonate trusted domains, filenames, or brand names. The goal is to deceive users and automated systems into interacting with malicious resources by exploiting the visual similarity between characters like the Latin "o" and the Greek "ο" (omicron).
## Technical Details
- **Type**: Technique (Deception / Impersonation)
- **Platform**: Multi-platform (Web browsers, Email clients, File systems, Chat applications)
- **Capabilities**: Domain spoofing, credential harvesting, malware distribution, bypassing security filters, and supply-chain poisoning.
- **First Seen**: Conceptually documented in early Unicode security considerations (c. 2001-2002); continuous evolution.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1566 - Phishing**
- **T1566.002 - Phishing: Spearphishing Link**
- **TA0007 - Discovery**
- **T1583.001 - Acquire Infrastructure: Domains**
- **TA0005 - Defense Evasion**
- **T1036 - Masquerading**
## Functionality
### Core Capabilities
- **Script Substitution**: Utilizing characters from Cyrillic, Greek, Armenian, or Turkish scripts that are visually identical to Latin characters.
- **Punycode Encoding**: Leveraging the `xn--` prefix (IDNA) to represent Unicode characters in ASCII-only environments (e.g., `gοogle.com` becomes `xn--gogle-example-abc.com`).
- **Visual Mapping**: Exploiting specific pairs like "rn" (Latin) looking like "m" or "I" (capital i) looking like "l" (lowercase L).
### Advanced Features
- **TLS/SSL Legitimacy**: Attackers obtain valid certificates (e.g., via Let’s Encrypt) for Punycode domains to display the "padlock" icon, increasing trust.
- **Mixed-Script Attacks**: Combining multiple character sets within a single string to bypass simple regex-based detection.
- **Supply Chain Impersonation**: Registering deceptive package names in repositories (NPM, PyPI) that use homoglyphs to trick developers into downloading malicious dependencies.
## Indicators of Compromise
- **File Names**: Executables or documents using lookalike characters (e.g., `fаcebook_setup.exe` where 'а' is Cyrillic).
- **Network Indicators**:
- Domains starting with `xn--`
- `gοogle[.]com` (Greek omicron)
- `microsοft[.]com` (Greek omicron)
- `раypal[.]com` (Cyrillic 'а' and 'р')
- **Behavioral Indicators**: Browser redirects from a Punycode-encoded URL to a credential harvesting page; certificate transparency logs showing certificates for suspicious Punycode domains.
## Associated Threat Actors
- Widely used by **Cybercriminal Groups** for mass phishing.
- **APT Groups** (Advanced Persistent Threats) for targeted spear-phishing and initial access.
- **State-sponsored actors** for brand and government agency impersonation.
## Detection Methods
- **Normalization**: Converting all inbound strings/URLs to a standard form (e.g., NFKC) before processing to identify hidden characters.
- **Punycode Inspection**: Flagging any domain containing the `xn--` prefix for manual or automated review.
- **Mixed-Script Detection**: Security tools that identify strings containing characters from two or more distinct scripts (e.g., Latin and Cyrillic).
- **Distance Algorithms**: Using Levenshtein distance to detect how "close" a new domain registration is to a protected brand name.
## Mitigation Strategies
- **Technical Controls**: Implement DNS filtering that blocks known malicious Punycode domains; utilize browser extensions that highlight IDNs.
- **Security Policy**: Enforce Multi-Factor Authentication (MFA) to nullify the impact of stolen credentials.
- **Proactive Monitoring**: Track Certificate Transparency logs for new registrations of brand-related lookalike domains.
- **Brand Protection**: Register defensive "squatting" domains for critical brand variations.
## Related Tools/Techniques
- **Typosquatting**: Registration of domains based on common typos (e.g., gogle.com).
- **Bitsquatting**: Exploiting hardware memory bit-flips to redirect traffic.
- **Combo-squatting**: Adding keywords to a brand (e.g., amazon-security-update[.]com).
- **Right-to-Left Override (RTLO)**: Using the `U+202E` character to reverse the visual order of text filenames.