Homoglyph Attacks

A homoglyph attack is a type of cyber deception that uses characters that look identical or very similar to one another to trick a user. These visually similar characters are called homoglyphs. Attackers substitute characters in a legitimate domain name, email address, or other text with a homoglyph from another alphabet or character set, making it nearly impossible for a human to spot the difference. For example, the Latin letter "a" (a) can be replaced with the Cyrillic letter "a" (а), which looks the same but is a different character to a computer.

How Homoglyph Attacks Work

Attackers register a fake domain name that visually mimics a legitimate one. For example, instead of google.com (using Latin characters), an attacker might register gооgle.com, which uses Cyrillic "о"s instead of Latin ones. They then use this deceptive URL in phishing emails or other social engineering campaigns to lure victims to a fraudulent site.

• Domain Spoofing: Attackers register a domain name using homoglyphs that visually mimic a trusted one. When a user is directed to this fake domain, they are often prompted to enter sensitive information, such as login credentials or credit card details, which are then stolen by the attacker. This technique is frequently used in combination with typosquatting.

• Email Spoofing: Homoglyphs are also used in email addresses and the "From" display name to make a phishing email appear legitimate. This can trick users into clicking on malicious links or downloading malware.

• Malware Distribution: The fake website can be used to host malicious files, and users who are fooled into visiting the site may unknowingly download malware onto their devices.

Why They Are So Dangerous

Homoglyph attacks are dangerous because they are incredibly deceptive.

• Bypassing Filters: Many traditional security filters and keyword-based detection systems may fail to flag homoglyph domains because the underlying characters are technically different from the legitimate ones.

• Visual Deception: The subtle visual differences are easy for the human eye to miss, especially on mobile devices or in different fonts.

• Cross-Platform: The attacks aren't limited to URLs; they can appear in email addresses, filenames, and even source code, making them a widespread threat.

ThreatNG helps an organization combat homoglyph attacks by providing a comprehensive external view of its digital assets and vulnerabilities. It identifies weaknesses in a company's defenses by simulating an attacker's perspective without needing internal access.

External Discovery and Assessment

ThreatNG's External Discovery can perform external, unauthenticated discovery to find look-alike domains that could be used in a homoglyph attack. This is a crucial first step for finding fake sites that impersonate an organization. The External Assessment capabilities evaluate an organization's susceptibility to these attacks.

• BEC & Phishing Susceptibility: This assessment score is derived from Domain Intelligence, which includes DNS Intelligence and Email Intelligence capabilities. Homoglyph domains are a primary tool for phishing and BEC attacks, so ThreatNG's detection of these domains directly contributes to this score.

• Brand Damage Susceptibility: ThreatNG assesses this risk by using Domain Intelligence, including its Domain Name Permutations feature, to identify potential threats that could be used for brand impersonation and to host malicious content, thus protecting the brand's reputation.

• Web Application Hijack Susceptibility: ThreatNG analyzes parts of a web application that are accessible from the outside world to identify potential entry points for attackers who might use a homoglyph domain to trick users into visiting a fake website.

For example, ThreatNG could perform an unauthenticated scan of an organization's external attack surface and discover a newly registered domain, microsоft.com, which uses a Cyrillic "o" that looks identical to the Latin "o" in microsoft.com. This finding would contribute to a low BEC & Phishing Susceptibility score and a high Brand Damage Susceptibility score.

Investigation Modules

ThreatNG's Investigation Modules provide detailed analysis to track down and understand a homoglyph threat.

• Domain Intelligence: This module is a core component for fighting homoglyph attacks. Its DNS Intelligence capabilities, specifically the Domain Name Permutations feature, are designed to detect and group various domain manipulations, including homoglyphs. This feature proactively finds domains that use visually similar characters to impersonate a brand.

• Email Intelligence: This feature analyzes the email security presence by checking for DMARC, SPF, and DKIM records. If ThreatNG finds that a homoglyph domain has active mail records, this is a strong indicator that the domain is being used to launch a phishing campaign.

For instance, an investigation might start with ThreatNG's Domain Name Permutations feature, identifying a newly registered domain, gооgle.com. The Email Intelligence module could then confirm that this malicious domain has active email records, which could then be used to send out phishing emails.

Intelligence Repositories

ThreatNG's continuously updated Intelligence Repositories (branded as DarCache) provide critical context for homoglyph attack investigations.

• Compromised Credentials (DarCache Rupture): This repository tracks compromised credentials on the dark web. If an attacker plans a homoglyph attack to steal credentials, the presence of already-compromised credentials for an organization could indicate a heightened risk.

• Dark Web (DarCache Dark Web): This repository tracks mentions of an organization on the dark web, which can be an early indicator of a planned phishing or impersonation campaign that may use homoglyph domains.

Reporting and Continuous Monitoring

ThreatNG provides various reports to communicate the findings of its homoglyph attack tests. Prioritized Reports categorize risks as high, medium, low, and informational, helping organizations focus on the most critical threats. The reports also offer reasoning, recommendations, and reference links to provide context and guidance for risk mitigation. ThreatNG's Continuous Monitoring capability ensures that the external attack surface and security ratings are constantly being tracked, so a new homoglyph domain is detected as soon as it appears. This allows an organization to respond proactively.

Complementary Solutions

ThreatNG's capabilities can work with complementary security solutions to create a more robust defense against homoglyph attacks.

• DNS Protection Services: ThreatNG could identify a homoglyph domain, such as exаmple.com, and its associated IP address. This information could then be used to update a DNS firewall or other DNS protection service to automatically block internal network traffic from accessing that fraudulent site.

• Email Security Gateways: If ThreatNG detects that a homoglyph domain has active mail records, this intelligence can be shared with an email security gateway. The gateway could then proactively block any emails originating from that domain, preventing a phishing campaign from reaching employees' inboxes.

• Phishing Simulation and Security Awareness Training: ThreatNG can provide real-world examples of discovered homoglyph domains. These examples can be used in security awareness training programs to educate employees on how to spot and avoid falling for a spoofed site.

• SOAR (Security Orchestration, Automation, and Response) Platforms: When ThreatNG's continuous monitoring detects a new, potentially malicious homoglyph domain, it can trigger an automated workflow in a SOAR platform. This playbook could automatically notify the security team, create an incident ticket, and even initiate a domain takedown request to the registrar, streamlining the response process and reducing manual effort.