Skip to main content
Home › Learn › Lookalike Domains

What are Homograph Attacks?

Homograph attacks exploit lookalike characters from different alphabets to create domain names that are visually identical to legitimate ones but actually point to a completely different site.

What are homograph attacks?

A homograph attack (also called an IDN homograph attack or script spoofing) uses characters from non-Latin scripts—such as Cyrillic, Greek, or Armenian—that look identical or nearly identical to Latin letters. By substituting these lookalike characters, an attacker can register a domain that appears identical to a legitimate site in the browser's address bar.

For example, the Cyrillic letter "a" (U+0430) looks identical to the Latin letter "a" (U+0061) in most fonts. An attacker can register a domain using the Cyrillic "a" that is visually indistinguishable from the real domain.

⚠️
The most dangerous lookalike attack: Unlike typosquatting, where a careful user can spot the misspelling, homograph domains can be literally impossible to distinguish visually from the real domain. This makes them the highest-risk form of domain impersonation.

Why they are dangerous

👁️

Visually undetectable

Homograph domains can be completely indistinguishable from the real domain in most fonts. Even security-conscious users cannot spot the difference by looking at the URL.

🔒

Valid SSL certificates

Attackers can obtain legitimate SSL certificates for homograph domains, showing the green padlock. The domain appears secure and trustworthy to the victim.

📧

Email impersonation

Homograph domains can send emails that appear to come from the real organization. Email clients may display the lookalike domain identically to the real one.

🎯

Targeted spear phishing

These attacks are often used in targeted campaigns against high-value targets because the lookalike domain withstands close scrutiny.

How homograph attacks work

The attack exploits Internationalized Domain Names (IDN), which allow non-ASCII characters in domain names:

1

Find lookalike characters

The attacker identifies characters from other scripts (Cyrillic, Greek, etc.) that look identical to Latin characters in the target domain.

2

Register an IDN domain

Using Punycode encoding (the xn-- prefix), the attacker registers the domain with an IDN-supporting registrar. The Punycode version looks different, but the displayed version looks identical.

3

Host malicious content

The attacker sets up a phishing page, obtains an SSL certificate, and waits for victims to arrive via phishing emails or social engineering links.

4

Victim sees the "real" domain

In browsers that display the Unicode version (rather than Punycode), the victim sees what appears to be the legitimate URL with a valid SSL certificate.

Punycode example

apple.com → xn--80ak6aa92e.com (with Cyrillic "a", "p", "l", "e")

The Punycode representation (xn--80ak6aa92e.com) is the actual domain stored in DNS, but browsers may display the Unicode version, which looks like apple.com.

Lookalike character examples

Many characters from different Unicode scripts are visually identical or nearly identical to Latin letters:

Latin Lookalike Script Unicode
a а Cyrillic U+0430
e е Cyrillic U+0435
o о Cyrillic U+043E
p р Cyrillic U+0440
c с Cyrillic U+0441
x х Cyrillic U+0445
i і Cyrillic (Ukrainian) U+0456
o ο Greek U+03BF
💡
Mixed-script detection: Domain Guarddog detects homograph attacks by analyzing registered lookalike domains for mixed-script characters and confusable Unicode sequences. These are flagged as high-risk threats because they are virtually undetectable by humans.

Browser defenses

Modern browsers have implemented countermeasures against homograph attacks, though they are not foolproof:

Browser Defense
Chrome Displays Punycode when a domain mixes scripts or uses confusable characters. Uses an allowlist of safe script combinations.
Firefox Displays Punycode for mixed-script domains. Users can force Punycode display via network.IDN_show_punycode setting.
Safari Displays Punycode for domains with mixed scripts and displays a warning for potentially deceptive domains.
Edge Uses Chromium's IDN display policy, showing Punycode for suspicious mixed-script domains.
⚠️
Whole-script homographs bypass browser protections: When all characters in a domain come from a single non-Latin script (e.g., all Cyrillic), some browsers do not show the Punycode version. This means a fully-Cyrillic lookalike of apple.com may still display as the readable version.

How to protect yourself

Monitor for homograph domains

Use Domain Guarddog to automatically detect when someone registers a homograph lookalike of your domain. These are flagged as high-risk threats.

Use bookmarks for critical sites

Never click links to log into banking, email, or other sensitive services. Use browser bookmarks so you always reach the real domain.

Enable Punycode display

In Firefox, set network.IDN_show_punycode to true in about:config. This forces all IDN domains to show their Punycode representation.

Use multi-factor authentication

Even if credentials are stolen via a homograph phishing site, MFA prevents the attacker from accessing the real account.

Report homograph domains

If you discover a homograph domain targeting your brand, report it to the registrar, Google Safe Browsing, and relevant anti-phishing organizations.

Detect homograph attacks against your domain

Domain Guarddog scans for homograph lookalikes using Unicode confusable analysis and alerts you to high-risk threats.

Get Started Free