Homoglyphic attacks - The dangerous game with characters

Homoglyphic (also known as homographic) attacks are a sophisticated form of cyberattack in which attackers use similar characters from different writing systems to create deceptively real phishing websites or fraudulent emails. This type of attack is becoming increasingly important as it is difficult to detect and poses significant security risks.

Translated with DeepL.com (free version)

Definition and explanation

This type of attack refers to the misuse of characters that look the same or almost the same in different fonts, but have different encodings or meanings. In URLs or email addresses, a homoglyphic attack can result in a user being taken to a fake website that looks deceptively similar to the real site.

Techniques of homoglyphic attacks:

Visual deception: Use of visually identical characters, e.g. “1” “l” (lower case L) and “I” (upper case i) or “rn” and “m”.
International characters: Use of characters from non-Latin scripts (e.g. Cyrillic, Greek) that look similar to Latin letters, e.g. the Greek ο (omicron) and the Latin o.
Unicode manipulation: Use of characters from the Unicode character set that change the display, e.g. by using the right-to-left override (RLO), which ensures that the letters after it are output in “reverse” order (i.e. from right to left).

Translated with DeepL.com (free version)

Examples and case studies

Example 1: Fake domain names

Imagine you receive an e-mail that purports to come from “paypal.com”. However, it is actually “рaypal.com” (where the “р” is a Cyrillic character). The user does not notice the difference and enters their sensitive data on the fake website.

Example 2: Email manipulation

An employee receives an email from a supposed business partner with the address “ceo@firma.com”, which is actually “ceо@firma.com” (with a Greek “о”). He opens the attachment and unknowingly triggers malware.

Case study: Attack on a bank and its customers

A well-known bank was the victim of a homoglyphic attack in which the domain “bank.com” was replaced by “bаnk.com” (with Cyrillic “а”). The attackers had previously registered the domain and mimicked the appearance of the bank’s website. Customers who visited the site (lured by a link in an email) landed on the phishing page, where they entered their login details without suspicion. This allowed the attackers to gain access to the victims’ bank accounts and carry out transactions. This attack led to considerable losses and cost the bank millions in compensation and reputational damage.

Impact and risks

Homoglyphic attacks can have far-reaching consequences, especially for companies that rely on their online presence. Phishing attacks, identity theft and financial losses are just some of the potential risks. As such attacks are often difficult to detect, they can cause great damage before they are discovered.
For users, the main risks are identity theft, compromise of accounts (e.g. email, bank) or loss of sensitive data, which could lead to subsequent blackmail attempts.
For companies, the risks are even more serious:

Companies whose brands or domains are misused for such attacks can suffer significant reputation losses. The trust of customers after an attack becomes known can be impaired in the long term and thus have a significant negative impact on business.
Financial losses: Companies usually have to bear the costs of fixing the security vulnerabilities and dealing with the consequences themselves.
Legal consequences: Companies can face legal problems if they do not take sufficient measures to protect their customers from such attacks. This can lead to fines and civil proceedings, especially in the context of data protection laws.
These attacks are particularly dangerous in sectors such as finance, e-commerce and public administration, where sensitive data needs to be protected.

Protective measures

Fortunately, there are various ways to protect yourself against homoglyphic attacks:

Modern security software

Modern security software uses automation and AI systems to detect and block suspicious activity in real time, effectively blocking phishing attempts. These technologies also analyze URLs for homoglyphic attacks by identifying unusual character patterns and alerting users to potential threats.

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) provides additional protection for accounts and data by requiring multiple verification steps. Even if the password to an account could be determined by the attacker, access requires one or more additional verifications, e.g. entering a code sent to a specific, predetermined device.

Cooperation with domain registrars

Registrars play an important role in identifying and disabling fraudulent domains, monitoring suspicious activity and taking swift action to block or remove phishing websites.

Sensitization and training

Employees should be regularly informed about how such attacks can take place. Knowledge of social engineering is essential in order to recognize these attacks at an early stage. In addition to advice on “common sense”, this includes encouraging employees never to allow themselves to be put under pressure.

We discussed how hybrid working models can be secured with the experts from Jamf.
Click here for the results from the live talk “Hybrid Work needs Zero Trust”.

Conclusion

Homoglyphic attacks are an underestimated but effective method of deceiving users and stealing data. They use the visual similarity of characters to mislead people. As they are often difficult to recognize, it is all the more important to remain vigilant and take protective measures. Companies should act proactively to protect their customers and employees

Jens Reichardt

Business Development Executive

E-Mail: jreichardt@spirit21.com

Jens is an expert in the field of device management and Modern Workplace. Whether it’s iOS, Android, Windows or macOS, you are in the best hands with Jens if you have any questions.