A reader texted VERIFY with a screenshot that warned of a particularly deceptive strategy used by hackers. It included what appeared to be two examples of the same banking website URLs — except one of the letter “a”s in the examples for each bank were written in Cyrillic, the alphabet used by several countries including Russia.
THE QUESTION
Can hackers mimic a website’s URL by using nearly identical letters from other alphabets?
THE SOURCES
Unicode Consortium, the standards organization for the internationalization of software and services
ICANN, a nonprofit that manages how the domain name system functions
Bitdefender, a cybersecurity company
MalwareBytes, a cybersecurity company
THE ANSWER
Yes, hackers can mimic a website’s URL by using nearly identical letters from other alphabets.
WHAT WE FOUND
Some letters in the Latin alphabet, which is the alphabet used for English, look nearly identical to certain letters in other alphabets, particularly Greek and Cyrillic.
A hacker can swap out a Latin character with a very similar Cyrillic or Greek character when creating a URL. In some fonts, these letters look exactly the same, making it impossible to identify a URL that’s spoofing another. In other fonts, the letters look slightly different, still making it difficult to tell a malicious URL from an official one.
When a hacker or scammer uses these identical letters to trick people into thinking a malicious link or website is real, it’s called a homograph attack, says Bitdefender, a cybersecurity company. Internet standards organizations, internet browsers and domain registries actively work to try and minimize these attacks by restricting URLs with copycat characters.
“The good news is that homograph attacks most likely are not going to become mainstream – they are not easy to set up or maintain,” wrote Martin Zugec, technical solutions director at Bitdefender, in 2022. “However, they are a dangerous and effective tool used for targeted campaigns.”
Website domain names originally only supported ASCII, the U.S. standard character list consisting of Latin letters, according to the Unicode Consortium, the standards organization for the internationalization of software and services. ICANN, a nonprofit that manages how the domain name system functions, developed a system where a domain name could use characters from other languages and alphabets. These are internationalized domain names, commonly called IDNs.
These internationalized domain names can be displayed anywhere you might find a domain name — so that would include web browsers, email applications, messaging apps and so on. But, depending on the font, characters in some alphabets can be similar or even identical to characters in the Latin alphabet.
That gives hackers opportunities to trick people with fake URLs that are almost impossible to spot. For example, https://www.vеrifythis.com, actually includes a Cyrillic ‘е,’ but it looks identical to https://www.verifythis.com, VERIFY’s real website, in certain fonts.
There are even enough letters that look the same between the two alphabets that someone could mimic a website’s entire URL using only Cyrillic letters. For example, this version of https://www.аррӏе.com is written entirely in Cyrillic, despite looking identical to the real https://www.apple.com in some fonts.
Cyrillic letters that resemble Latin letters include: а, г, ԁ, е, ѕ, і, ј, ԛ, о, с, у, х, һ, ѡ, ҽ, ъ, Ь, ѵ, ԝ and ӏ. Greek letters that look like Latin letters include: α, κ, ν, ο and several uppercase letters.
In order to prevent scams, most popular browsers don’t display URLs that mix characters from different alphabets.
Google Chrome will not display the IDN for URLs that mix Latin, Greek and/or Cyrillic letters; instead, it will show gibberish in place of any Greek or Cyrillic characters. Chrome also won’t display the IDN for URLs consisting entirely of letters identical to Latin letters, unless those characters match the website’s country code. So, Chrome will allow a .ru website to use a Cyrillic domain name made up of characters that look like Latin letters.
Firefox similarly won’t display the internationalized domain name of a website that mixes Latin, Greek and/or Cyrillic in its URL. However, Firefox does display IDNs of websites that are made up entirely of characters that look identical to Latin letters regardless of the website’s country code. Some web browsers, such as Chrome, will stop you from going to a website URL using another alphabet. Chrome will instead suggest the actual URL of the website it believes you meant to go to.
But protections aren’t uniform everywhere. Zugec’s 2022 blog post for Bitdefender pointed out that Microsoft Outlook and other Microsoft Office apps don’t hide these URLs with look-alike characters. Other apps, both on computers and on phones, also might not protect users from domain names mimicking other websites by using foreign letters.
Homograph attacks are rare, and you can avoid falling victim to them the same way you avoid falling victim to any other malicious link. Don’t click on any link from an email or a message you weren’t expecting to get or on any link you don’t know with certainty is safe.
Some browser tools or extensions, such as Punycode Alert and the Quero Toolbar, can also help protect you from homograph attacks, says MalwareBytes. Regularly updating your browser will also help protect you, since most modern web browsers regularly check for and block malicious websites.