Home

WATCH WHAT YOU READ! PART 2: PHISHING/SPOOFING THREAT OF HOMOGRAPHS/ HOMOGLYPHS

May 27, 2021

By Lucy Rana and Pranit Biswas

Phishing comes in many shapes and forms and is a menace which is as old as modern internet itself. This particular piece will cover a more advanced and often dangerously overlooked type of phishing or web-attacks. Phishing involving minor typographical errors is not a new threat to the public. While the awareness levels of the general public and internet users has increased by leaps and bounds over the years, many can easily still fall prey to devious phishers. It is after all, a common cognitive error wherein readers comprehend the entirety of the text based on a few familiar letters, despite spelling errors and other misplaced letters therein – for example, it is very easy to confuse ‘AstraZeneca’ and ‘AztraZeneca’ or ‘PFIZER’ with ‘PIFZER’. For more information regarding such phishing and typo-scams, please see our earlier article at https://ssrana.in/articles/typoscam-typosquatting-phishing-covid19/.

With the increase in sophistication in phishing coupled with the ever increasing quantum of general awareness of internet users, phishers are also employing more sophisticated tactics to perpetuate their scams – for example, once can appreciate how difficult it may be for a person to distinguish between Citibank.com and Citibɑnk.com.

WHAT IS A HOMOGRAPH OR A HOMOGLYPH?

The online Merriam-Webster dictionary defines a ‘homograph’ as one of two or more words spelled alike but different in meaning or derivation or pronunciation[1]. Whereas Oxford defines a ‘homograph’ as words that are spelt the same but have different meanings, such as content (what is inside) and content (satisfied) or wind (air) and wind (twist)[2]. Whereas many other online dictionaries such as Wordnik, YourDictionary, etc., define a ‘homoglyph’ as a character or a glyph which is so identical with another character/glyph, that the difference is not visible upon a quick perusal[3].

A non-exhaustive list of such character/glyphs is given below for reference:

Character/ glyphs which closely resemble English/Latin characters
ɑ – similar to “a” – similar to “u” – similar to p

 

– similar to “k” – similar to “b” 0 – similar to “o” or “O”

 

– similar to “n” or II  – similar to “H” г – similar to “r”

 

HOMOGRAPH/ HOMOGLYPH SPOOFING

Thus, the concept of ‘homograph/homoglyph spoofing’ or ‘homograph/homoglyph phishing’ or ‘homograph/homoglyph attack’ in essence, inter alia involves the use of domain names/websites/emails, etc, which closely resemble the original domain/website, and is only differentiated by the use of similar looking characters like the Cyrillic alphabet “ɑ” as compared to its English variant “a”. Thus, a homograph or homoglyph attack can be associated with a hypothetical domain/website such as Citibɑnk.com or CitiБank.com, which users can mistakenly believe to read as Citibank.com.

Certain hypothetical examples are shown below:

Real Website/Domain Fake Website/ Domain Observations
Gtbank.com

 

Covaxin.com

 

IndiaVaccines.com

Gtbɑnk.com

 

Covɑxin.com

 

IndiaVɑccines.com

The alphabet “a” used in the fake domain/website is “ɑ” from the Cyrillic alphabet.

Thus, a simple substitution of the Latin/English alphabet “a” by the Cyrillic letter “ɑ” in itself has the potential to turn into a huge menace.

It is pertinent to keep in mind that while a words like “bɑnk” or “vɑccine” (i.e. bank and vaccine wherein the alphabet “a” has been substituted by “ɑ”) can easily be detected and red-flagged in a word editor such as MS Word or such softwares, such names may not be flagged in many web-browsers/ URL tabs. Moreover, the threat of such spoofing/phishing is even more dangerous when one receives emails from such websites/domain names. Such phishing/spoofing/web-attacks are not limited to usage of special characters like “ɑ” or “г”, but may also involve clever use of combination of standard English/Latin characters, such as r + n = rn (similar to the alphabet “m).

In a way, such homographic/ homoglyphic spoofing/phishing is very similar to typosquatting and it can be said that these types of web-attacks/scams are even more difficult to detect as compared to traditional typosquatting.

Such skilled phishing/spoofing/web-attacks assume even greater importance in today’s world, considering the COVID-19 pandemic. Internet Users must be more aware and cautious than ever before, to not fall prey to such criminals. [For more information about examples of such Cyber Theft and the laws governing such cyber-crime in India, please refer to https://ssrana.in/articles/cyber-theft-a-serious-concern-in-india/.]

DOMAIN NAME ARBITRATION – A SOLUTION TO OBTAIN SUCH DOMAIN NAMES

As discussed in our earlier article at https://ssrana.in/typoscam-typosquatting-phishing-covid19/, domain name arbitration is a good option for tackling such matters. In this scenario, such web attacks/phishing/ spoofing borne out of usage of homographs/ homoglyphs can be said to be a subset of typosquatting.

UDRP (UNIFORM DOMAIN-NAME DISPUTE-RESOLUTION POLICY) ON HOMOGRAPHS/ HOMOGLYPHS

While certainly not as prevalent as ‘traditional’ typosquatting, domain names which comprise of such characters have indeed come up before UDRP panels. UDRP panels in the below cases tackled this issue and held in favour of the Complainants:

S.No. Trade Mark Domain Name Case No. Our Comments
1. BLOOMBERG XN–BLOOMBEG-M0D.COM

 

(bloombeɾg.com)

Claim Number: FA1808001802017

 

Forum (NAF)

The alphabet “r” in the word Bloomberg was replaced by “ɾ”.
2. MILWAUKEE rnilwaukeetool.com FA2103001935361

 

Forum (NAF)

The alphabet “m

in the word Milwaukee was replaced by “rn”, i.e. r and n.

3. GROUPON xn--roupon-h0c.com

 

(ɡroupon.com)

D2020-2302

 

(WIPO)

The alphabet “g” in the word Groupon was replaced with the character “ɡ”.
4. WOLF, WOLF OIL CORPORATION

 

(website: wolfoil.com)

wolf0il.com D2016-1398

 

(WIPO)

The alphabet “o” in the name Wolfoil was replaced by the numeral “0”.

CONCLUSION

As illustrated above, there is a very real threat of being targeted by web-attacks which may originate from or be based upon domain names/websites which use homographs/homoglyphs to impersonate the original website and steal confidential personal, medical or financial information. As such, it is more important than ever to carefully watch what you read, when dealing with emails/websites/domain names/SMSs, etc. Hence, the old adage Customer Beware is more relevant than ever, especially in this day and age where terms like COVID, VACCINE, etc., have assumed far more importance and visibility than ever before.

From a IP rights-holder’s perspective, a good option for recovering such infringing domain names is by filing domain complaints – provided no active or hazardous fraud is being perpetuated by the domain name, as in those cases, a lawsuit (for interim injunction) or a complaint with the cyber cell would be a more comprehensive option.

[1] Definition of homograph, Merriam-Webster, https://www.merriam-webster.com/dictionary/homograph

[2] Definition of homograph, Oxford, https://www.oxfordreference.com/view/10.1093/oi/authority.20110803095943295

[3] Definition of ‘homoglyph’ on online dictionaries: http://dictionary.sensagent.com/Homoglyph/en-en/, https://www.yourdictionary.com/homoglyph, https://www.wordnik.com/words/homoglyph

Related Posts

TYPOSCAMS! PHISHING! TYPOSQUATTING in light of COVID-19 – Watch what you read!

Cyber Crime during Coronavirus Pandemic

 

For more information please contact us at : info@ssrana.com