top of page

Homograph Phishing Attacks, Cyrillic Characters, and What to Watch Out For


Close-up of black serif typography on white paper, showing various 'g' designs with annotations, creating a focus on font design details.
Written by: Bruna Ferranti

Cybercriminals can exploit the similarity between some Cyrillic letters to Latin letters to create what is known as a homoglyph or homograph attack. This kind of spoofing attack is also known as script spoofing. It exploits the fact that these characters look alike.


Criminals create fake URLs and email addresses that closely resemble legitimate ones by replacing Latin letters with similar-looking Cyrillic letters. This tactic can trick users into clicking on malicious links or providing sensitive information.


Other languages that use different, but similar characters to Latin, such as Hebrew, Thai or Greek can also be used.


What are Cyrillic letters?

The Cyrillic alphabet is used in various languages such as Russian, Bulgarian, and Serbian. They look very similar to everyday characters. These characters are created using Unicode characters in ASCII format which is a character encoding standard for electronic communication. This encoding method may be exploited in homograph attacks to create deceptive domain names that appear legitimate. (Source: IDN homograph attack - Wikipedia)


What does a homopgraph/homoglyph spoof look like?

See if you can spot the differences in the examples below:


www.exɑmple.com

This URL is using the Cyrillic letter "ɑ", which closely resembles the Latin letter "a".

example@gmail.cоm

This email address is using the Cyrillic letter "о", which resembles the Latin "o".



How do I protect myself?

  • Golden Rule: As always, with anything phishing related: If it looks fishy, it's probably phishing. Always use your best judgment when you're receiving emails. Double check URLs and emails when navigating your inbox. It's always best to reach out to your IT team with any concerns you encounter.

  • Never click on any links that that you are unsure about. Instead, type it out into a browser or a search engine. Always go directly to well-known sites that you use daily. Do not rely on email URLs.

  • Always make sure your browsers are up to date on the latest security patch updates. These web browsers often have guardrails for use of these characters and/or can preventing "mixed" scripts for different languages.

  • Be aware of URLs that start with “xn–”, which indicates the use of Punycode. This coding is used to represent Unicode characters in ASCII format and can help identify potential use of Cyrillic letters or homograph attacks.


If you use Outlook:

Block emails from certain countries or regions

  • On the Home tab, click Junk Junk Email Options.

  • In the Junk Email Options dialog box, head to the International tab.

  • Click on Blocked Top-Level Domain List and select the countries or regions that you want to restrict. You can also uncheck any countries or regions that you wish to unblock.

  • Click OK twice to save your changes and close both dialog boxes.

Picture of desktop on how to block emails from certain countries or regions in outlook (highlighting the steps above)

Emails from the blocked countries or regions will be moved to the Junk Email folder automatically. You can review them periodically and delete them as needed.


This feature helps you minimize emails originating from countries you may not be expecting communication from, adding an extra layer of security to your inbox.

You can also block emails in particular encodings and languages:

  • Once again, go to the Home tab and click on Junk > Junk Email Options.

  • Navigate to the to the International tab.

  • Click Blocked Encodings List and check the boxes for the encodings you want to filter out.

  • If you don’t receive emails in other languages, the only encoding most folks need is “Unicode

  • (UTF-8)”. If this is true for you, you can block all encodings on the list.

Picture of desktop on how to block emails in particular encodings and languages in Outlook (highlighting the steps above)

 

Homograph phishes can be tricky to detect, but by staying vigilant and using the right tools, you can protect yourself from becoming a victim. Always verify links, educate yourself and others, and implement strong security practices to stay one step ahead of cybercriminals.


If you are a current TIC Client: You can reach out to us if you have any questions regarding this. Please reach out via email or by phoning the support line. Email the Help Desk at support@ticbiz.com or call 617-884-1086, and a technician will be happy to assist.  


 
TIC logo of a cresent moon to the right of a tree

Not a client and want to learn more about how TIC can help keep your company informed on phishing trends? Contact us by clicking here.





Comments

bottom of page