Homoglyphs
In cybersecurity, a homoglyph is a character that looks identical or very similar to another character. A homoglyph attack is a type of typosquatting where a malicious actor uses these characters to register a domain name that visually mimics a legitimate one. This technique is often used in phishing campaigns to deceive users into believing they are visiting a trusted website.
How Homoglyph Attacks Work
Homoglyph attacks exploit the visual similarities between characters from different character sets, such as the Latin alphabet and the Cyrillic alphabet, or even within the same character set. The most common form of this attack is the IDN (Internationalized Domain Name) homograph attack, which uses characters from different languages to create a deceptive domain.
For example, an attacker could register аррӏе.com to impersonate apple.com. In this case, the a, p, and e are Cyrillic characters that look nearly identical to their Latin counterparts. When a user sees this domain in an email or a browser's address bar, it's tough for them to notice the difference.
Why They Are a Threat
High Deception Rate: Homoglyph domains are difficult to distinguish from legitimate domains visually, making them highly effective in social engineering and phishing attacks.
Bypasses Traditional Filters: Many older security filters rely on simple string matching and may not be equipped to detect these sophisticated visual substitutions.
Leads to Credential Theft: Once a user is tricked into visiting a homoglyph domain, they are often directed to a fake website designed to steal their login credentials, credit card information, or other sensitive data.
ThreatNG helps with homoglyph attacks by performing an unauthenticated, external discovery and assessment to identify domain name permutations that use visually similar characters to impersonate a brand. The platform's continuous monitoring and intelligence repositories enable it to proactively detect these deceptive domains and provide actionable intelligence to protect against brand impersonation and phishing attacks.
ThreatNG's Capabilities for Homoglyph Attacks
ThreatNG uses several of its core functions to address homoglyph attacks.
External Discovery and Assessment
ThreatNG performs purely external and unauthenticated discovery to find potential threats from an attacker's perspective. This is achieved through its Domain Intelligence module, which is a key component of its external attack surface and digital risk intelligence. The platform uses these findings to assess an organization's susceptibility to various risks.
BEC & Phishing Susceptibility: This score is partially derived from the DNS Intelligence capabilities of the Domain Intelligence module, which include the identification of Domain Name Permutations. The detection of homoglyph domains directly contributes to this score, as these domains are a primary tool for phishing and Business Email Compromise (BEC) attacks. For example, ThreatNG would detect a homoglyph domain like
аррӏе.com is a permutation of the legitimate apple.com.Brand Damage Susceptibility: ThreatNG assesses this risk by using Domain Intelligence, which includes Domain Name Permutations. By identifying homoglyph domains, the platform can determine potential threats that could be used for brand impersonation and to host malicious content, thus protecting the brand's reputation.
Data Leak Susceptibility: This assessment also considers Domain Intelligence, including Domain Name Permutations, to determine if fraudulent domains are being used to steal credentials and facilitate data leaks.
The Domain Intelligence investigation module is the primary tool for homoglyph attack detection. Within this module, the DNS Intelligence capability is specifically designed to detect and group various manipulations of a domain.
Domain Name Permutations: This feature explicitly lists homoglyphs as one of the manipulations it detects. ThreatNG identifies visually similar characters, particularly those used in Internationalized Domain Names (IDNs), to find deceptive domains. For each permutation, ThreatNG provides the associated mail records and IP addresses, which are crucial for understanding the potential malicious use of the domain.
Targeted Keyword Analysis: ThreatNG analyzes the discovered domain name permutations for the presence of "Authentication" terms, such as login, verify, and admin, as well as "Derogatory" terms like sucks and boycott. This helps to identify specific threats, such as a homoglyph domain being used to host a fake login page.
Reporting and Continuous Monitoring
ThreatNG provides a variety of reports, including Prioritized Reports (High, Medium, Low, and Informational) and Security Ratings (A through F). These reports would highlight any discovered homoglyph domains and their associated risks, allowing an organization to prioritize remediation efforts. The platform's continuous monitoring capability ensures that it is constantly tracking an organization's external attack surface and will detect new homoglyph domains as they appear.
ThreatNG's intelligence repositories, branded as DarCache, provide valuable information that can support the homoglyph attack detection process. The DarCache Dark Web repository tracks mentions of an organization on the dark web, which can be an early indicator of a planned phishing or impersonation campaign that may use homoglyph domains.
Complementary Solutions
ThreatNG's homoglyph attack detection can be enhanced by working with other security solutions.
ThreatNG and a DNS Firewall: ThreatNG could identify a homoglyph domain, such as exаmple.com, and its associated IP address. This information could then be used to update a DNS firewall to automatically block internal network traffic from accessing that fraudulent site.
ThreatNG and an Email Security Gateway: If ThreatNG detects that a homoglyph domain has active mail records, this intelligence can be shared with an email security gateway. The gateway could then proactively block any emails originating from that domain, preventing a phishing campaign from reaching employees' inboxes.
ThreatNG and a Website Takedown Service: Once ThreatNG identifies a homoglyph domain impersonating a brand, the information about the malicious domain and its hosting provider could be shared with a website takedown service. This would enable the service to act quickly and have the fake site removed, minimizing the window of opportunity for attackers.
