A homoglyph is when a glyph (or character) from one character set looks identical to that of another character set. For example, the lower-case letter “а” from the Cyrillic alphabet appears to be identical to the lower-case letter “a” from the Latin alphabet.
While seemingly identical to the human eye, they are very different for a computer. Pasting a string that contains each of these characters into a web browser will take you to very different places.
Homoglyphs are frequently used in URL impersonation attacks because their substitution is indistinguishable to the human eye.
Homoglyphs are also more effective than other forms of impersonation, such as replacing lowercase “m” with “rn,” which can look almost identical in some fonts—for example, arnazon.com versus amazon.com. Or impersonation that preys on common misspellings—for instance, micosoft.com
So just how identical can a homoglyph attack be? In the next section, we will explore an example.
Note: To keep everyone safe, we have used screenshots for all impersonated domains.
Creating a homoglyph
To create an impersonated domain, we are going to use the Homoglyph Attack Generator at irongeek.com. From this page, we first need to type in the domain we want to impersonate. I am going to use supertekboy.com.
The generator then allows us to swap out each letter with a letter from another character set. The first two rows are the Latin character set in upper and lower case. However, several other character sets, including Cyrillic, are included.
Using the generator, we can switch one or more letters with those from a different character set. Let’s change the Latin letter “e” for the Cyrillic letter “e” (Unicode 435). This gives us the output below. Can you tell the difference?
If you were to click that link or cut and paste the URL into a browser, you would be redirected to the following URL.
Were a bad actor to register this redirected domain, they could use it as a launchpad for any number of attacks, such as delivering a malicious payload, social engineering, or password capture. (I believe some domain registrars are blocking these types of domains).[Read more…] about URL Impersonation – Homoglyph attacks