A Homograph Attack, also known as a “script spoofing” or “IDNs homograph” attack, targets unsuspecting users by exploiting the visual similarities between letters from different scripts. This technique is extraordinarily effective in phishing simulations because it leverages human errors inherent in visually comparing domain names and email addresses. For a phishing practitioner, understanding and deploying homograph attacks can be crucial to reveal how employees might react to subtle visual tricks that real attackers often use.

A homograph attack manipulates visual similarity between characters to deceive users, often involving internationalized domain names (IDNs) that can closely resemble trusted domains.

By presenting users with a domain or email address that looks nearly identical to a legitimate one, homograph attacks aim to trick the targeted individual into assuming they are interacting with a genuine and trusted source. This tactic is commonly deployed in phishing scenarios to capture credentials or distribute malware.

Key Implementation and Success

Implementing homograph attacks in phishing simulations requires meticulous attention to detail to ensure the attacks closely mimic those used by genuine threat actors. The effectiveness of a homograph attack in a simulation hinges on two core elements: the choice of characters and the context of use.

Character Selection

The choice of characters in a homograph attack can mean the difference between success and failure. Characters from different scripts that look similar are substituted to create a visual deception. For instance, using the Cyrillic ‘а’ (U+0430) in place of the Latin ‘a’ (U+0061) can fool users into thinking they’re viewing a familiar URL.

Contextual Relevance

The context in which a homograph attack is applied greatly impacts its believability. A vital aspect is ensuring that the phishing lure aligns with the target organization’s usual communications. The more plausible and relevant the scenario, the more convincing the attack.

Concrete Examples of Homograph Attacks

Below are concrete examples demonstrating how homograph attacks can be successfully implemented in phishing simulations:

Example 1: Financial Institution Impersonation

A homograph attack might involve an email purporting to be from a bank, asking the recipient to verify account information. The sender address appears as

where both ‘a’ characters have been replaced with Cyrillic ‘а’ (U+0430). To the casual observer, this address is indistinguishable from the legitimate address

.

Subject: Important: Verify Your Account Information



Dear Customer,



We detected unusual activity on your account. Please verify your information using the link below:



<a href="https://www.паybаnk.com/secure-login">https://www.паybаnk.com/secure-login</a>



Thank you for your prompt attention to this matter.



Best regards,

Paybank Security Team

Example 2: Corporate Communication Yoink

This example targets employees with a simulated internal communication from the IT department. The email address used is

with a Cyrillic ‘c’ (U+0441) and ‘а’ (U+0430)，intended to mimic

. The email instructs employees to update software using a provided link.

Subject: URGENT: Mandatory Software Update Needed



Team,



To ensure a secure and seamless work environment, please download and install the latest software update from the link provided below:



<a href="https://portal.сompаny-internal.net/update">https://portal.сompаny-internal.net/update</a>



Your cooperation is greatly appreciated,

IT Department

Example 3: E-commerce Alert Disguise

This scenario involves an email allegedly from a trusted e-commerce site, urging the recipient to confirm a recent purchase they did not make. The source address

replaces the Latin ‘a’ with a Cyrillic equivalent. It invites the user to verify or cancel the order via a link.

Subject: Your Amazon Order - Action Required



Hello,



We noticed a new order placed from your account that looks suspicious. To confirm or cancel this order, please visit:



<a href="https://www.amаzon-support.com/order-check">https://www.amаzon-support.com/order-check</a>



If you did not make this purchase, please confirm your details immediately.



Regards,

Amazon Support Team

Good, Better, Best Approach

• Good: Using visually similar characters from non-Latin scripts to replace common letters in URLs. Ensure these characters aren’t easily detectable.
• Better: Contextualizing homograph attacks within credible scenarios that mirror legitimate transactions or internal communications.
• Best: Combining homograph techniques with other social engineering components, like time-sensitive warnings, customized user data, or alignment with ongoing real-world events, to enhance believability and urgency.

Related Concepts

• Phishing: A broad social engineering-based attack, within which homograph attacks find a niche application.
• IDNs (Internationalized Domain Names): Domains that include letters from different scripts, a technical basis for character manipulation in homograph attacks.
• OWASP Phishing Testing: A methodology framework for conducting phishing tests, which includes homograph attack methods.

References

• ICANN Policy: IDNs
• MITRE CWE-1003: Language Localization Issues
• Google Safe Browsing: Phishing Protection

Related Reading

• Typosquatting
• Domain Spoofing
• Impersonation
• Spoofing

Educational Purpose: This content is provided for awareness and defensive purposes only. Understanding attacker methodologies helps individuals and organizations protect themselves.