Google to take tough stance on homoglyph attacks

Posted by   Virus Bulletin on   Aug 14, 2014

Good idea, but unlikely to have a huge impact.

Ever since internationalized domain names (IDNs) were introduced in the last decade, allowing people to use non-ASCII characters in domain names, many in the security field have been expressing their concern about 'homoglyph attacks' (sometimes called homograph attacks). In such attacks, characters in a well-known domain are replaced with visually similar non-ASCII ones.

An attacker could thus register the páypα domain (which is visually similar to and have innocent victims believe they are accessing the official site of the payment facilitator, whereas in fact they are being phished for their login credentials.

In practice, hardly any homoglyph attacks have been seen in the wild, despite the technology having been widely implemented. I think the main reason for this is that if you do attempt to register the páypα domain, you are, as it were, ticking the 'I am going to use this domain for phishing' box. If you were able to get it registered, it would probably not be long before it was taken down.

Moreover, we know that users click links and enter their details on URLs that don't even remotely resemble the targeted domain. (In fairness to such users, especially on mobile devices, it isn't always easy to see the URL of the link one is clicking on, or the full email address of an email's sender.) So there appears to be little need for phishers to go through the process of registering look-alike domains.

That doesn't mean that such attacks couldn't happen. So it is good news that Google has announced it is going to crack down on abuse of IDNs, by implementing the Unicode Consortium's 'Highly Restricted' specification. Put simply, this means that Google will support IDNs in Gmail (and also in the local-part of email addresses), but it will block unnatural combinations of various alphabets.

Still, this doesn't stop an attacker from using,, or a completely unrelated domain - or from using local DNS modifications to send the correct domain to the wrong server.

Ultimately, a domain name is best seen as nothing but an easy-to-remember pointer to an IP address. If you want more security than that, one should use public key certificates proving the authenticity of the domain, in particular Extended Validation Certificates. These include many checks that make abuse of look-alike domains very unlikely - though ultimately, as with anything in security, not impossible. Welcome to the world of security.

Posted on 14 August 2014 by Martijn Grooten




Latest posts:

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

New article: Dissecting the design and vulnerabilities in AZORult C&C panels

In a new article, Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified.

VB2021 localhost call for papers: a great opportunity

VB2021 localhost presents an exciting opportunity to share your research with an even wider cross section of the IT security community around the world than usual, without having to take time out of your work schedule (or budget) to travel.

New article: Excel Formula/Macro in .xlsb?

In a follow-up to an article published last week, Kurt Natvig takes us through the analysis of a new malicious sample using the .xlsb file format.

New article: Decompiling Excel Formula (XF) 4.0 malware

In a new article, researcher Kurt Natvig takes a close look at XF 4.0 malware.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.