What is a homoglyph attack? Explained

Cyber crooks have plenty of tricks up their sleeves when it comes to deceiving victims, and one such technique is the homoglyph attack which is used to disguise the fact that a person has landed on a spoof website masquerading as the legitimate site of a known brand.

First, what is a homoglyph? It’s one of a pair of characters (or glyphs) that appear extremely similar to each other, but have different uses.

While all the letters in the standard English (Latin) alphabet and standard Arabic numeral system (0-9) look different and are unlikely to be confused with one another (with the possible exception of O and 0) when we also take into account characters from different languages (that often use the Cyrillic script) the result is a many number of homoglyph pairs.

What is a homoglyph attack?

This is when cyber-crooks take advantage of these similarities to create fake web domains that may appear to be legitimate but are completely fake and controlled by the crooks. For example, in the past a person could have landed on аррӏе.com which appears to be the official website for Apple. Only it isn’t, because the domain actually contains Cyrillic characters that look like the letters they’re impersonating. (If you don’t believe us, copy and paste it into your web address bar and see if you go to the Apple website or somewhere else! 😉 )


Sponsored Content. Continued below...




You can’t have Cyrillic letters in web addresses (URLs) but crooks would – in the past – exploit a security flaw in Internet browsers that would force them to convert certain special commands to Cyrillic letters automatically, creating the above illusion.

So for example we could create thаtѕnοnѕenѕe.com – which contains Cyrillic ‘a’ ‘s’ and ‘o’ characters. (Again – try copying and pasting the address into your browser and you’ll see it’s not real.) In the past we could use a web address with a series of special commands – http://xn--thatsnnene-jvi1zc.com/ – to forward victim’s to the fake address, and the browser would show thаtѕnοnѕenѕe.com (fake) in the address bar when that would not – in fact – be the official thatsnonsense.com domain.

In 2017 these types of attacks became less common after most modern web browsers fixed this flaw and stopped converting the domains to show Cyrillic characters, meaning if we did register the http://xn--thatsnnene-jvi1zc.com/ domain today, it would not convert to the fake thаtѕnοnѕenѕe.com equivalent.

However, homoglyph attacks can still occur. In 2021 Microsoft removed a number of domains using similar techniques to trick victims. So it always pays to check the URL address that little bit more carefully.