[Part 1 of 3]
By Prasanna Abeysekera
When "ехample-bank.com" Isn't What It Seems
Have you ever clicked on a link that appeared to be a familiar website only to discover, too late, that something wasn't quite right? You're not by yourself. Hackers use characters from non-Latin alphabets, including Cyrillic, Greek, or Armenian, that resemble those in Latin-based alphabets to register domains in a tactic known as an IDN homograph attack.
At first glance, what appears to be example-bank.com might not be what it seems. Cyrillic characters, such as "е" (Cyrillic) instead of "e" (Latin), can trick even experienced users into believing they are visiting the legitimate example-bank.com.
To the untrained eye, there is no visible difference. However, for your web browser and security software, this subtle distinction could go unnoticed.
Part one of a three-part series, this article demonstrates how hackers deceive users and bypass basic security measures by utilising language scripts.
What is an IDN Homograph Attack?
IDN stands for Internationalised Domain Name, which is a system that permits domain names to include characters from a variety of worldwide scripts other than the English alphabet. This is a valuable feature for global access, but it also creates opportunities for exploitation.
A homograph is a character that looks identical (or very similar) to another character. In the digital realm, hackers utilise homographs from multiple scripts to register domains that appear legitimate but are different behind the scenes.
Examples of Deceptive Characters:
| Latin | Cyrillic Lookalike | Unicode |
|---|---|---|
| a | а | U+0430 |
| e | е | U+0435 |
| o | о | U+043E |
| p | р | U+0440 |
| c | с | U+0441 |
| x | х | U+0445 |
So the domain example-bank.com, which uses only Cyrillic characters, can trick even the most savvy users into thinking it's example-bank.com.
Reasons Why This Technique Is Highly Effective
There are three main reasons why IDN homograph attacks are effective:
- Visual Deception: The average user may not notice slight differences in font rendering. Most people tend to trust what they see.
- Browser Rendering: Some browsers display the spoofed version of the domain (e.g., ехample-bank.com) using Cyrillic characters instead of converting it to its encoded Punycode form (e.g., xn--example-bank-5fd.com). This conversion typically raises a red flag for users.
- Security Oversight: Many filters and detection systems do not fully validate script mixing or Unicode normalisation, particularly in lightweight setups.
- You can test this yourself by copying and pasting the spoofed domain, ехample-bank.com, into a Punycode converter. If the output differs from example-bank.com, you are likely dealing with a deceptive Unicode domain.
What is the result? Users are directed to phishing or malware sites that appear to be legitimate, where their passwords, personal information, or financial information are discreetly collected.
All domain names mentioned in this article are either fictitious or used solely for illustrative and educational purposes.
Any similarity to actual, operational domains — including well-known websites like apple.com — is purely coincidental and not intended to imply affiliation, ownership, or endorsement.
The examples are provided to help readers understand cybersecurity risks such as IDN homograph attacks.
🧾 Real-World Example: A Spoofed apple.com That Fooled the Eye
IDN homograph assaults have transpired in reality, not merely in theory. In 2017, a notable example occurred when security researcher Xudong Zheng created a domain that closely resembled apple.com in the browser's address bar yet was entirely composed of Cyrillic characters.
Using lookalikes like:
- Cyrillic а (U+0430) for Latin a
- Cyrillic р (U+0440) for Latin p
- Cyrillic е (U+0435) for Latin e
Zheng created a domain that was rendered visually as apple.com, even though its actual encoded form was xn--80ak6aa92e.com.
🔗 Read the full analysis: Phishing with Unicode Domains by Xudong Zheng
He utilised this domain to demonstrate how adversaries could make the spoof name appear genuine in contemporary browsers like Chrome and Firefox. Although raising awareness was Zheng's morally righteous goal, it also demonstrated how readily such a technique could be used as a weapon to steal login credentials, particularly for valuable targets like Apple ID logins.
🔗 Source:
- Zheng's original write-up: "Phishing with Unicode Domains"
- https://www.xudongz.com/blog/2017/idn-phishing/
🌐 Click to expand real-world examples of spoofed domains
🧾paypal.com → раураl.com
Cybercriminals used Cyrillic letters, such as р, а, and у, to mimic the PayPal login page. The spoofed domain was used in phishing emails and credential harvesting attacks.
👉 Punycode: Resembled something like xn--80aaah6c.com.
Cybercriminals have repeatedly targeted PayPal users using homograph domains. A common trick is replacing Latin characters with Cyrillic lookalikes, such as р, а, and у.
✔️ Documented in domain fuzzing tools like DNSTwist that detect and generate variants like раураl.com.
✔️ CERT Polska reported similar spoofing techniques against banking domains.
✔️ Validated through punycoder.com where entering раураl.com will yield a distinct Punycode value.
🧾 2. google.com → gооgle.com
In this case, both os were replaced with Cyrillic о (U+043E), resulting in a domain that rendered identically in most browsers. Often paired with a valid SSL certificate to display a secure padlock, this technique targeted Gmail and Google Workspace users.
Both os are replaced by Cyrillic о (U+043E), making it indistinguishable from the real domain in most browsers.
- ✔️ Referenced in ICANN SSAC Advisory SAC-075, which covers the dangers of homograph spoofing.
- ✔️ Detected by DNSTwist and similar fuzzing tools
- ✔️ Included in domain fuzzing and typo-squatting simulations (try in dnstwist).
- ✔️ Repeatedly discussed in security blogs and phishing databases
🧾 3. amazon.com → аmazon.com
The first a was swapped with the Cyrillic а. These spoofed domains hosted fake promotions or fake login pages, exploiting user trust in the Amazon brand.
Cyrillic а mimics the first "a" in "amazon", frequently seen in phishing simulations and fake promo scams.
- ✔️ Identified in phishing detection systems and VirusTotal submissions
- ✔️ Flagged in industry red-teaming tools like Gophish and Evilginx
- ✔️ Validated with Punycode conversion tools like punycoder.com
🧾 4. microsoft.com → microsоft.com
Just one Cyrillic о was enough to create a convincing fake. These domains were used in malware campaigns and fake support pages mimicking Microsoft’s branding and layout.
A single Cyrillic о in “soft” creates a deceptive clone of the domain. This method has been used in malware delivery and tech support scams.
- ✔️ Highlighted in Microsoft's own Security Intelligence blog and community reports.
- ✔️ Observed in campaigns impersonating Microsoft’s support desk - often reported via ScamAdviser or flagged in browser warnings.
- ✔️ Found in real phishing emails where basic filters missed domain name mismatches.
- ✔️ Detected in phishing feeds such as PhishTank or OpenPhish (commercial)
These examples demonstrate how even minor visual substitutions can bypass user scrutiny and sometimes evade browser and security filters. Modern phishing techniques exploit these similarities and they remain active today.
🛠️ Want to Try It Yourself?
Use https://www.punycoder.com to paste spoofed domains and observe the encoded differences - especially when Latin and Cyrillic letters look identical.
📢 So yes - this is not theoretical:
Coming Up Next: What Security Tools Miss
In Part 2, we will examine how these attacks circumvent many mainstream security tools and why traditional domain filters frequently fail to detect these tactics.