Have you ever received an email or message warning you that your account is in danger, urging you to click a link to recover it? At first glance, it seems harmless. However, if you click on it, you may unknowingly provide your personal information on a website that looks almost identical to the genuine one. Here is where many people fall victim to the sophisticated trap known as IDN Homograph Attacks. In this article, we’ll explore this trick and discuss how you can protect yourself and share some knowledge I’ve learnt from my time at zen8labs.
An example of a spoofing attack
Let’s compare the following two links:
If you don’t pay close attention, you might struggle to notice that the letter “a” in the second link isn’t the Latin “a”, but rather a similar-looking character from the Cyrillic alphabet. It’s a subtle difference, yet it can lead to significant risks.
What Are IDNs (Internationalized Domain Names)?
Internationalized Domain Names (IDN) allow the use of characters from various alphabets in domain names, including Japanese, Russian, Chinese characters, and many others beyond English. This system was designed to enhance the accessibility and usability of the internet, thereby enabling users from diverse cultures to access the web more easily by using familiar characters.
For instance, a website might have a domain such as “example.com” or “例子.com” instead of relying solely on Latin characters. Yet, this flexibility creates opportunities for IDN Homograph Attacks—spoofing attacks that exploit visually similar characters from different alphabets. While these characters may appear similar briefly, they are distinct in Unicode, allowing for the creation of different domain names that are challenging to spot.
How the attack works
Imagine receiving an email from a seemingly trustworthy source with a subject related to security. This email contains urgent news about a newly discovered vulnerability, along with a link asking you to click for more information. Once you do, you are directed to a website that looks identical to the legitimate one.
However, the domain name in the email contains characters from another alphabet that differ only slightly from the original site (such as the letters “о” or “і” from the Cyrillic alphabet). The attacker has registered this deceptive domain to trick users, crafting a fake website that mimics the real one in every detail—from logos and colours to layout. To further lend credibility, they may even acquire a TLS/SSL security certificate from a reputable certification authority, displaying a lock icon in the address bar.
When you log in or submit personal information on this counterfeit site, you inadvertently send all that information directly to the attacker. They can then exploit this data for identity theft or unauthorized transactions. For many, the “secure” HTTPS links adorned with a lock icon can create a false sense of security, making them more susceptible to deception.
The Man-in-the-Middle attack scenario and greater risks
In more complex scenarios, attackers may utilise a Man-in-the-Middle approach, creating a copy of the legitimate site while executing requests from the user to the real site in the background. As a result, the victim may perform various actions without realising they are interacting through an intermediary site. This method often targets sensitive platforms, such as online banking or financial services. Some malicious actors exploit these fake sites to distribute malware, establish backdoors for botnets, mine cryptocurrency, or deploy other harmful software.
How to identify and prevent spoofing attacks
For end users, detecting a HTTP spoofing attack can be relatively straightforward using modern web browsers. After clicking a link, check the address bar to confirm that you are accessing a site from a trusted source. Even if the link is provided in an email or as an Internationalized Domain Name (IDN), browsers like Google Chrome, Mozilla Firefox, and Safari will display them in Punycode, helping you easily identify a potential spoof.
To safeguard yourself against HTTP spoofing attacks, consider implementing a few safety measures. Rather than clicking links in emails or messages, type the website address directly into your browser’s address bar. This approach not only helps you avoid counterfeit websites but also makes sure you access the correct site. Additionally, consider utilising online security tools, such as browser extensions designed to verify the authenticity of websites. These tools can provide warnings if you attempt to access a site that raises red flags.
For domain owners, while detecting spoofing attacks can be challenging, you can proactively educate your users about signs of phishing. Use official communication channels to share information on how to identify your website and how users can protect their personal information.
If you are looking for a partner that can help to consult you on IT security, then consider reading this post about the best consulting partner for you.
Linh Phung, Software Engineer
