CyberScout

Homographic Hacking: What It Is and How It Works

homograph
Getty Images

If you are moving fast as we tend to do during the workday, the following four web addresses may not look so different from each other:

  • Google.com
  • Google.сom
  • Googɩe.cоm
  • Ɡoogle.com
  • Google.cоm

While some examples are more noticeable than others, in each version of the above URL address one letter or character has been replaced with a letter from non-Latin, or Roman, alphabet. Cyrillic and Greek are popular go-to symbol sources in the homograph trawling operations implemented by hackers. 

If you think this can’t happen to you, reconsider. Homographic-based phishing “lures” are a powerful tool in today’s phishing campaigns. 

A homograph is a letter or character that looks the same to an end-user, but is represented by different computer code. So while an “a” and an “а” look almost identical, they’re two separate characters as far as a computer or a domain registrar are concerned (specifically, U+0061 and U+0430). 

If a hacker registers a domain name that looks like a legit one, it’s not difficult to create a spoof version of that website to access user credentials entered at login, or to funnel malware onto the user’s computer. 

While many browsers have built-in protection to block URLs and domain names implementing mixed alphabets, the same protection cannot be had against links or URLs sent in the body of an email or via social media–and a single click is often all it takes to compromise a computer or an entire network. 

What can you do to protect against homographic attacks?

Pause before you click: Be careful before clicking on links or downloading attachments–look for telltale signs of phishing including misspellings, or links or fonts that appear “off.”

Be especially wary of emails or communications marked “urgent.” Hackers bank on the quick click response.

Install software updates: Many browsers have built-in protections against homographic attacks, and many security programs can protect against malware, but they both require constant updates to be effective.

Confirm the sender: If you receive a link in an email, get a link in a text message, or receive a message with a link via social media, do a quick follow-up phone call to make sure it’s legitimate.