CTEM-DOM-2: Homoglyph Attack Domain
Documentation has not been completed. This page is a placeholder for future documentation.
Overview
Homoglyph attack domains exploit characters that look visually similar to those in a legitimate domain name. By using substitutions such as numbers, special characters, characters from other alphabets, or UTF-8 character sets that resemble English letters, attackers create domains designed to deceive users. These domains are commonly used in phishing attacks, impersonation, and other malicious activities.
Characteristics of Homoglyph Attack Domains
- Character Substitutions: Using visually similar characters, such as
dundermiffl1n.com
(replacing the letter “i” with the number “1”). - Mixed Alphabets: Combining Latin characters with similar-looking characters from other scripts, such as
dundermïfflin.com
(using ï from the Latin Extended alphabet). - UTF-8 Characters: Leveraging characters from the UTF-8 character set that resemble English letters, such as
dúndermifflin.com
(where "u" is replaced with a character containing a diacritic).
Common Methods of Discovery
- Homoglyph Detection Algorithms: Specialized tools that identify visually similar domains based on known patterns of character substitution.
- Threat Intelligence Platforms: Leveraging feeds that flag homoglyph domains seen in malicious campaigns.
- Domain Monitoring Services: Automated scans for new domain registrations similar to the legitimate domain.
- Manual Verification: Reviewing domain names flagged as suspicious for visual similarities to known domains.
Risk and Impact
Homoglyph attack domains pose significant risks, including:
- Phishing Attacks: Deceptive domains may host fake login pages or forms to steal user credentials.
- Brand Impersonation: Homoglyph domains undermine trust by imitating an organization’s brand.
- Malware Distribution: These domains may host malicious content disguised as legitimate software or updates.
- Customer Confusion: Users misled by these domains may lose trust in the legitimate brand.
Examples
Using dundermifflin.com
as the legitimate domain:
- Numeric Substitution:
dundermiffl1n.com
(replacing “i” with “1”). - Mixed Alphabets:
dundermïfflin.com
(using ï from the Latin Extended alphabet). - UTF-8 Characters:
dúndermifflin.com
(using a UTF-8 character that resembles "u"). - Special Characters:
dúndermifflin.com
(adding a diacritic character to mimic the original domain).
Key Considerations for Threat Exposure Management
- Automated Detection: Deploy homoglyph detection algorithms as part of domain monitoring to identify and respond to threats promptly.
- Proactive Reporting: Work with registrars and domain authorities to report and take down homoglyph domains.
- End-User Training: Educate employees and customers on how to spot and avoid suspicious domains.
- Layered Defense: Use DNS filtering and web content filtering to block access to known homoglyph domains.
- Visual Awareness: Encourage manual verification of domain names in critical communications and transactions.
By addressing homoglyph attack domains, organizations can reduce the risk of phishing and brand impersonation, protecting both their reputation and their customers.