Homograph Attack Using Cyrillic Characters: Know What It Is And How To Avoid It

Klizo Solutions Pvt. Ltd.
7 min readJun 30, 2023

--

Homograph Attack Using Cyrillic Characters

Do you know that phishing is one of the most common cyberattacks to penetrate IT systems?

Do you know that phishing is a serious cyber threat that can cause significant harm to individuals and organizations?

As per the latest stats, phishing attacks are increasing like never before! And the most alarming part is that the phishing methods of cybercriminals are becoming more and more sophisticated and resourceful.

Especially given the alarming rate at which the homograph attacks using Cyrillic characters for domain phishing are increasing, it’s high time to watch out!

In our article here today, we will give you in-depth insight into the phishing scheme of homograph attacks, how you can detect and protect yourself from it, and more!

So without any further delay, let’s hop in!

Phishing Attack — What Is It?

Phishing attacks are one of the biggest cyber threats to businesses and individuals.

Homograph Attack Using Cyrillic

In this type of cyberattack, fraudulent communication, usually emails, is used to trick users into revealing their sensitive information or installing malware on their devices.

Usually, the attackers pretend to be a reputable source, create a sense of urgency or curiosity in the victim and ask to click on a link/ open an attachment/ call a number that leads to a fake website or a malicious file.

Once you do so, the attackers use the information or access obtained from you to steal money, access accounts, or launch further attacks.

The Art Of Deception

Unlike other cyberattacks, phishing relies on social engineering (manipulating people into doing something they wouldn’t normally do, such as giving away their passwords or downloading malware) rather than technical hacking.

Phishing scammers use various techniques to make their communication look authentic and convincing, such as using the sender’s logo, spoofing the email address, and even creating a convincing subject line. They exploit the human emotions of fear, greed, or curiosity to persuade users to take action.

What Is Homograph Or Homoglyph Phishing Attack?

Usually, the term “homograph” or “homoglyph” refers to one or more characters or glyphs that are so identical to another character or glyph that the difference between them is not visible to an average user upon a quick perusal.

Now, a homograph or homoglyph attack happens when attackers use similar-looking foreign characters from various language sets (especially with non-ASCII letters) to create domain names/emails/websites, etc., that resemble the original domain names/websites.

Here, the attackers create their websites or register their domain names that are similar to existing original websites (that usually belong to big corporations, news or email services, banks, etc.) or web addresses to steal data from the users who happen to click on the spoofed link or visit the malicious website.

For example, notice how the Cyrillic alphabet “ɑ” resembles the English alphabet “a.” Check out the table for better understanding.

The homograph spoofing or homoglyph attacks are usually associated with hypothetical domain names such as Gtbɑnk.com, which you can mistakenly believe to read as Gtbank.com (Read again to notice the difference). Here, you can see how a simple substitution of the English/Latin alphabet “a” for the Cyrillic alphabet “ɑ” can lead you to become a phishing attack victim.

While some fraudulent sites may have minor spelling errors compared to genuine websites, in Cyrillic homograph attacks, the attackers exploit an International Domain Name (IDN) using Cyrillic characters.

Simple Homograph Attack

Homograph attacks that use simple ASCII alphanumeric characters are the simplest versions of such attacks, where a fake URL usually consists of only ASCII alphanumeric characters or symbols that are similar to each other.

For example, the letter “o” may be confused with the number “0” or the letter “q” with “g.” Usually, here the attackers target the less experienced internet users who can’t differentiate between these simple character spoofing.

Though this phishing method is simple, it has been quite successful in fooling users.

Homograph Attacks Using non-ASCII Characters

In 2003, a new feature was added to URL addresses, i.e., the use of non-English characters to accommodate the growing number of internet users who spoke languages other than English. This change enabled domain names that could be more meaningful and accessible to a wider audience. As a result, it finally became possible to create web addresses made of combined ASCII and non-ASCII characters or only national symbols.

And from then on, the scammers started organizing homograph attacks using non-ASCII characters. In this type of homograph attack, the attackers use non-English characters in URL addresses or set up subdomains that look like the original domain.

Why The Cyrillic Characters?

Homograph attacks using Cyrillic characters or Cyrillic domain phishing are neither new nor the only language used to trick people. Scammers have also used Chinese, Greek, Hebrew, and Armenian letters to create fake domain names or URLs.

However, Cyrillic (widely used across Eastern Europe) is a favorite of the scammers for it has eleven lower-case characters, identical to the Latin letters and numbers. Using a Cyrillic domain allows attackers to create fake domains that look similar to the real ones but have slight differences that are hard to notice.

A Closer Look At How Homograph Attack Works (Using Cyrillic)

In a homograph attack or IDN spoofing attack, a website’s name is written in a non-Latin script, such as Cyrillic, directly resembling its English counterpart, and it’s converted to a code called Punycode. This Punycode or special encoding correctly transcodes a domain name that contains non-Latin characters into its URL address.

In simpler words, the attackers use Cyrillic letters that look like Latin ones to create fake domains that are hard to distinguish from the real ones to trick users. Check out this image here for a better understanding.

Facebook domain for sale

This image refers to the domain that one has purchased. Now, if you look closely, you will see that only the letter ‘a’ is Cyrillic in the purchased domain.

Such Cyrillic domain names can be dangerous for unsuspecting users who may click on a link or type in a URL that looks legitimate. But unfortunately, it leads them to a malicious website that can steal their information or infect their devices with malware.

Here’s another example where the scammers have created a fake URP for WhatsApp using Cyrillic letters that look similar to Latin alphabet letters (used in English). Look closely, and you will notice the “w” and the “t” of www.whatsapp.com are different. One-click without noticing this difference, and you can fall prey to a phishing attack.

How To Avoid Falling Prey To Homograph Attack?

Just knowing about the IDN homograph attack is not enough! Given the growing number of attack attempts, you must be aware of the best possible ways to detect spoofed hyperlinks to save your personal information from getting stolen.

Some of the CISA (Cybersecurity and Infrastructure Security Agency), which is a part of the Department of Homeland Security, United States, recommended steps to avoid homograph attacks are:

  • Don’t just click on any link you see — it could be a trap! Instead, enter the web address yourself in your browser’s search bar. That way, you’ll know you’re going to the right place.
  • Your web browser is your shield against constantly growing and evolving online threats. So, make sure it’s always updated to the latest version. Using an older version of it might compromise your online security, as it may have cracks or holes that can let the bad guys in.
  • Before you click on a link, take a moment to hover your mouse over it and check where it leads. You’ll see the web address pop up on your screen. If it looks strange or different from what you expected, don’t click on it — it could be a phishing scam trying to trick you.

Apart from these, here are a few more tips to keep in mind to prevent becoming a victim of homograph phishing, such as:

  • Use software that offers protection against malware and viruses
  • Always check the URL carefully for any suspicious characters before clicking
  • Take regular data backups to make the ransomware attack less effective
  • Use bookmarks or search engines to access trusted websites or type the URLs
  • Be skeptical of advertisements that claim to change how popular services or sites work
  • Install security software that can detect and block phishing attempts

Final Verdict

For those who are still in a dilemma regarding whether this homograph or homoglyph phishing attack using Cyrillic or other non-Latin scripts takes place in reality, yes, they happen!

And you will be surprised to know that this online phishing scam known as the homograph attack has been deceiving people since the early 2000s.

So yes, if you were not aware of it until now, after reading the article, you are now enlightened for sure!

Be aware, take the necessary precautions to detect, and save yourself from falling prey to this homograph attack!

For more informative and detailed read about protecting and growing your business, visit our website.

--

--

Klizo Solutions Pvt. Ltd.
Klizo Solutions Pvt. Ltd.

Written by Klizo Solutions Pvt. Ltd.

Your go-to technology partner. We create amazing apps and tech in an enterprise environment.

No responses yet