Security News New Homoglyph Attack Techniques Help Cybercriminals Spoof Trusted Domains

[Divergent]

Content source

https://cybersecuritynews.com/new-homoglyph-attack-techniques/

Cybercriminals have found a clever way to trick people by swapping real letters in website addresses with characters that look almost the same. These are called homoglyph attacks, and they are becoming a growing problem across the internet.

A single character swap — like replacing a Latin “o” with a Greek omicron — can fool both users and security tools into thinking a fake website is real. This kind of deception is simple to pull off but can cause serious damage to individuals and organizations.

New Homoglyph Attack Techniques Help Cybercriminals Spoof Trusted Domains

Homoglyph attacks swap similar letters in URLs to trick users, leading to phishing, malware downloads and stolen credentials.

cybersecuritynews.com

 

[Divergent]

Executive Summary

Confirmed Facts
The provided threat intelligence details homoglyph attacks that leverage Internationalized Domain Names (IDNs) and Punycode to visually spoof legitimate domains.

Assessment
Because no specific incident telemetry (e.g., endpoint logs, network captures) was provided, the exact payload, file size, and delivery vector for your specific environment remain "Unknown." The technique relies heavily on human visual deception rather than software exploitation, making it highly effective against default browser and email client configurations.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1566.002
(Phishing: Spearphishing Link)

T1593
(Search Open Websites/Domains)

T1036
(Masquerading).

CVE Profile
N/A (Technique-based, maps to CWE-1007)
CISA KEV Status: Inactive for the general technique, though actively exploited in the wild for specific software implementations.

Telemetry

Domains
gοogle-example[.]com
xn--gogle-example-abc[.]com

Constraint
Based on the documentation provided, the structure suggests an initial access and credential harvesting vector. However, without definitive binary or network analysis from a live environment, the exact payload type cannot be confirmed. Origin: Insufficient Evidence.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Establish policies for registering defensive lookalike domains (brand protection) and strictly define acceptable character sets for internal communications.

DETECT (DE) – Monitoring & Analysis

Command
Implement SIEM rules to alert on DNS queries resolving to domains with the xn-- (Punycode) prefix, treating newly observed IDNs as high-risk.

RESPOND (RS) – Mitigation & Containment

Command
Isolate endpoints that have successfully resolved and connected to unverified Punycode domains until forensics can determine if credential theft occurred.

RECOVER (RC) – Restoration & Trust

Command
Force global password resets for any user interacting with suspicious IDN domains and validate all associated MFA configurations.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Configure email gateways and web proxies to normalize Unicode and force the display of Punycode strings (rather than rendered homoglyphs) to end-users.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately if you suspect you have clicked a homoglyph link and entered credentials or downloaded an unknown file.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords/MFA using a known clean device (e.g., phone on 5G) for any accounts accessed via the suspected spoofed domain.

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions for unknown entries, particularly if the homoglyph attack led to a file download.

Hardening & References

Baseline
CIS Benchmarks for Web Browser Security (Configure browsers to always display Punycode for IDNs).

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Seqrite Blog

Cyber Security News

 

[LinuxFan58]

I am not talking about remediation but prevention

First: NextDNS has as far as I know IDN Homograph Attacks Protection, so for members using the default DNS service in their browser, have a look at NextDNS

Secondly: most modern browsers display mixed-script or use suspicios punycode in their domains in their raw punycode format to make surfers aware of the look-alike

What is new in the attack, I briefly skimmed the article but fail to see what's new, could you explain what is different why modern browsers don't recognize this anymore?

 

[Divergent]

I am not talking about remediation but prevention

First: NextDNS has as far as I know IDN Homograph Attacks Protection, so for members using the default DNS service in their browser, have a look at NextDNS

Secondly: most modern browsers display mixed-script or use suspicios punycode in their domains in their raw punycode format to make surfers aware of the look-alike

What is new in the attack, I briefly skimmed the article but fail to see what's new, could you explain what is different why modern browsers don't recognize this anymore?

Modern browsers and DNS filters like NextDNS do a fantastic job of mitigating basic mixed-script homograph attacks by automatically rendering them in their raw Punycode format.

What the threat intelligence reports are highlighting as "new" isn't a technique to break the browser's address bar, but rather an evolution in how attackers are bypassing backend security infrastructure before the threat even reaches the user. Threat actors are now deliberately exploiting discrepancies in how backend tools, such as legacy email gateways, web proxies, and SIEMs, parse complex Unicode normalization forms (like NFC, NFD, and NFKC). If a security filter fails to properly normalize these characters, the malicious string slips right past the threat blocklists.

Attackers are moving beyond the URL bar entirely. They are utilizing bidirectional text controls (specifically the Unicode character U+202E) to disguise file extensions in downloads or spoof display names in communication apps like Slack and Teams, and they are increasingly targeting software supply chains (like npm or PyPI) where browser IDN policies simply do not apply. Ultimately, while your frontend browser defenses are working exactly as intended, the novelty of these campaigns lies in their ability to silently bypass the backend security stack and exploit areas outside the traditional web browser.

 

[Sampei.Nihira]

I am not talking about remediation but prevention

First: NextDNS has as far as I know IDN Homograph Attacks Protection, so for members using the default DNS service in their browser, have a look at NextDNS

Secondly: most modern browsers display mixed-script or use suspicios punycode in their domains in their raw punycode format to make surfers aware of the look-alike

What is new in the attack, I briefly skimmed the article but fail to see what's new, could you explain what is different why modern browsers don't recognize this anymore?

It's interesting to note in the example below how the eye is always fooled, while the browser isn't:

True:

paypal.com

Fake:

раypal.com

(Users of NextDNS will notice that copying and pasting the URL into their browser results in the fake domain being blocked).

Many forum members tend to subscribe to this list of filters:

https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/spam-tlds-ublock.txt

which, to be honest, isn't included in any of HaGeZi's filter lists.
At the end, the list contains a long list of blocked Punycode strings that correspond in plain text to a series of TLDs that are obviously blocked by the rules.

Spoiler: Punycode = TLD

xn--11b4c3d → .कॉम
xn--1ck2e1b → .セール
xn--1qqw23a → .佛山
xn--2scrj9c → .ಭಾರತ
xn--30rr7y → .慈善
xn--3bst00m → .集团
xn--3ds443g → .在线
xn--3e0b707e → .한국
xn--3hcrj9c → .ಭಾರತ
xn--3oq18vl8pn36a → .大众汽车
xn--3pxu8k → .点看
xn--42c2d9a → .คอม
xn--45br5cyl → .ভাৰত
xn--45brj9c → .ভারত
xn--45q11c → .ਭਾਰਤ
xn--4gbrim → .موقع
xn--54b7fta0cc → .বাংলা
xn--55qw42g → .公益
xn--55qx5d → .公司
xn--5su34j936bgsg → .香格里拉
xn--5tzm5g → .网站
xn--6frz82g → .移动
xn--6qq986b3xl → .我爱你
xn--80adxhks → .москва
xn--80ao21a → .бел
xn--80aqecdr1a → .католик
xn--80asehdb → .онлайн
xn--80aswg → .сайт
xn--8y0a063a → .联通
xn--90a3ac → .срб
xn--90ae → .бг
xn--90ais → .срб
xn--9dbq2a → .קום
xn--9et52u → .時尚
xn--9krt00a → .微博
xn--b4w605ferd → .淡马锡
xn--bck1b9a5dre4c → .ファッション
xn--c1avg → .орг
xn--c2br7g → .नेट
xn--cck2b3b → .ストア
xn--cckwcxetd → .アマゾン
xn--cg4bki → .삼성
xn--clchc0ea0b2g2a9gcd → .சிங்கப்பூர்
xn--czr694b → .商标
xn--czrs0t → .商店
xn--czru2d → .商城
xn--d1acj3b → .дети
xn--d1alf → .мкд
xn--e1a4c → .ευ
xn--eckvdtc9d → .ポイント
xn--efvy88h → .新闻
xn--fct429k → .家電
xn--fhbei → .كوم
xn--fiq228c5hs → .中文网
xn--fiq64b → .中信
xn--fiqs8s → .中国
xn--fiqz9s → .中國
xn--fjq720a → .娱乐
xn--flw351e → .谷歌
xn--fpcrj9c3d → .భారత్
xn--fzc2c9e2c → .电讯
xn--fzys8d69uvgm → .八卦
xn--g2xx48c → .购物
xn--gckr3f0f → .クラウド
xn--gecrj9c → .भारत
xn--gk3at1e → .通販
xn--h2breg3eve → .भूतान
xn--h2brj9c8c → .भारत
xn--h2brj9c → .भारत
xn--hxt814e → .网店
xn--i1b6b1a6a2e → .संगठन
xn--imr513n → .餐厅
xn--io0a7i → .网络
xn--j1aef → .ком
xn--j1amh → .укр
xn--j6w193g → .香港
xn--jlq480n2rg → .亚马逊
xn--jlq61u9w7b → .家電
xn--jvr189m → .食品
xn--kcrx77d1x4a → .飞利浦
xn--kprw13d → .台湾
xn--kpry57d → .台灣
xn--kput3i → .手机
xn--l1acc → .мон
xn--lgbbat1ad8j → .الجزائر
xn--mgb9awbf → .موبايلي
xn--mgba3a3ejt → .اتصالات
xn--mgba3a4f16a → .ایران
xn--mgba7c0bbn0a → .موريتانيا
xn--mgbaakc7dvf → .الاردن
xn--mgbaam7a8h → .امارات
xn--mgbab2bd → .بازار
xn--mgbah1a3hjkrd → .السعودية
xn--mgbai9azgqp6j → .مليسيا
xn--mgbayh7gpa → .عمان
xn--mgbbh1a71e → .قطر
xn--mgbbh1a → .قطر
xn--mgbc0a9azcg → .كاثوليك
xn--mgbca7dzdo → .السودان
xn--mgbcpq6gpa1a → .البحرين
xn--mgberp4a5d4ar → .السعودية
xn--mgbgu82a → .شبكة
xn--mgbi4ecexp → .عرب
xn--mgbpl2fh → .كوم
xn--mgbt3dhd → .موقع
xn--mgbtx2b → .مصر
xn--mgbx4cd0ab → .فلسطين
xn--mix891f → .澳门
xn--mk1bu44c → .닷컴
xn--mxtq1m → .政府
xn--ngbc5azd → .شبكة
xn--ngbe9e0a → .بيتك
xn--ngbrx → .عرب
xn--node → .node
xn--nqv7f → .机构
xn--nqv7fs00ema → .组织机构
xn--nyqy26a → .健康
xn--o3cw4h → .ไทย
xn--ogbpf8fl → .سورية
xn--otu796d → .招聘
xn--p1acf → .рус
xn--p1ai → .рф
xn--pgbs0dh → .شبكة
xn--pssy2u → .大拿
xn--q7ce6a → .भारत
xn--q9jyb4c → .みんな
xn--qcka1pmc → .グーグル
xn--qxa6a → .世界
xn--qxam → .ελ
xn--rhqv96g → .世界
xn--rovu88b → .书籍
xn--rvc1e0am3e → .公司
xn--s9brj9c → .ਭਾਰਤ
xn--ses554g → .网址
xn--t60b56a → .닷넷
xn--tckwe → .コム
xn--tiq49xqyj → .天主教
xn--unup4y → .游戏
xn--vhquv → .企业
xn--vuq861b → .信息
xn--w4r85el8fhu5dnra → .संगठन
xn--w4rs40l → .嘉里
xn--wgbh1c → .مصر
xn--wgbl6a → .قطر
xn--xhq521b → .广东
xn--xkc2al3hye2a → .भारतम्
xn--xkc2dl3a5ee0h → .भारत
xn--y9a3aq → .медиа
xn--yfro4i67o → .新闻
xn--ygbi2ammx → .ابوظبي
xn--zfr164b → .政务

I had ChatGPT convert this to a list of TLDs.
Some of the TLDs listed here are legitimate but may be blocked because they’ve been abused, making them risky.
I don’t use this filter list because I’ve blocked all non-Latin character TLDs in NextDNS, along with a number of TLDs that I consider risky.


P.S.

Another example that is more obvious (to a keen eye like ours) than the previous one:

malwaretìps.com

blocked by NextDNS:

 

[Miravi]

Control D's DNS also optionally offers a native phishing/typo filter that helps to protect against these kinds of homoglyph addresses, even for free users.

Their filtering relies on both curated typosquatting/phishing lists and proprietary AI/ML malware defense that analyzes domain characteristics in real-time.

The heuristic analysis would raise the alarm after seeing use of Punycode or combinations of different writing systems, and it would block any domain with a high probability of being malicious.