Logo Intuity

Typosquatting and homographic attack: what they are and how to avoid them

Share article

Typosquatting In Social Engineering (the cyber attack technique that exploits human weaknesses and rash behavior) to deceive the most hasty and careless users is used a hacking practice called Typosquotting (by squatting, squatting, and typo, typo) or URL hijacking.

It consists in the registration of domains with names very similar to the originals, belonging to known brands or to the target company of the cyber attack, with the purpose of attracting users to fake websites and thus obtaining personal data, to spread malware or make a phishing email more credible.

The typosquatted domains are many, some famous examples are:

  • yotube.com
  • yutube.com
  • facebok.com
  • goggle.com
  • bankitalia.it
  • republica.it

Typosquatters use as bait Phishing emails, such as the notice of an account expiring or the request for confirmation of their bank data or sponsorship of attractive discounts by well-known brands. The purpose of the content of these mails is to bring the user to click on the link present within them so as to direct him to these fake sites created ad hoc to perform identity theft, credentials or extort money.

In Italian we say “homographs” those characters that are represented by the same graphic sign but different phonic meaning. For example, the Cyrillic letter a (“A”) may look identical to the Latin lowercase letter a (“a”). Also there are several characters that resemble each other as 0 (the number) and O (the letter), “l” lowercase L and “I” uppercase “i”Attacks based on these similarities are known as homographic spoofing attacks and are often used for making email addresses with typosquatted domains, thus making the sender of a phishing mail as credible as possible.

IDN Homograph Attack

While Typosquatting relies on human error and haste to make URLs very similar to the original ones, the same attack to the internationalized domain name (IDN Homograph Attack) is a cyber attack that exploits the similarity of many characters but belonging to different alphabets.

The Unicode encoding used in computer language is a system that assigns a unique number to each individual character, allowing you to correctly interpret the characters used in an address or web page. This makes it possible to process URL addresses electronically in different languages.

The most used character encoding is the American Standard Code for Information Interchange (ASCII) standard, but while Unicode uses 8, 16 or 32-bit encodings, ASCII uses 7 or 8-bit encodings, As a result, many characters available on Unicode cannot be represented in ASCII. To bypass this problem, the Punycode system has been implemented that allows domain names composed of non-ascii characters (Unicode) to be represented in ASCII.

However, this implementation introduced a new type of cyber threat called homographic attack to the internationalized domain name (IDN Homograph Attack)This allows you to create domain names graphically and visibly indistinguishable from the original ones once displayed in the address bar of some browsers.

Last year Xudong Zheng, web developer, using the Punycode encoding of Cyrillic characters showed how it was possible to show in previous versions of some browsers the domain “apple.com” actually registered as “xn-80ak6aa92e.com” (Punycode system).

Click on the link, if the address apple.com appears in the URL bar, your browser needs to be updated. Test it: apple.com

How can we defend against typosquatting and homographic attacks?

In order not to fall victim to this type of cyber attack, we list below some suggestions:

  • In the web do not hurry and always read very carefully the domains of web addresses.
  • Keep your browsers up to date.
  • Before clicking on a link, hover over it and check the preview of the address it points to.
  • Use ad hoc extensions, such as Punycode Alert (for Chrome) or Quero Toolbar.

Contact us here