URLs that are not part of a clickable link are also used for spoofing attacks. Here, attackers often exploit the similarity of various letters to fool their victims. Known as homographic attacks, they can be difficult to detect in certain circumstances.
In simple cases, the attacker may use a URL or domain with letters which – when combined – look like another letter. Here’s a couple of examples:
- Email from “support@lacebook.com”: Instead of a lower-case “f” a small “l” is used.
- Link with destination “https://secure.arnazon.com”: The combination of the letters “rn” appears like the letter “m.” The “secure” subdomain and “https” divert the user’s attention and distract them from the spoofed domain.
The success of the deception is strongly determined by the font used. If the email content sufficiently gets the recipient worked up, however, such a minor detail can often be overlooked.
Another form of homographic attack can be harder to uncover: the internationalized domain name (IDN). With this variant, the attacker sends a URL that contains letters from a different alphabet. If the letter is visually similar to a Latin letter, the illusion can be effectively deceptive. Attackers thereby exploit Punycode addresses. The trick here, for example, is the original URL may not contain a Latin “a”, but the Cyrillic version. Both letters are confusingly similar. Some browsers do not display non-Latin URLs as Punycode. The user therefore is unaware that they have opened a fraudulent a website.
To prevent homographic attacks, you should ensure that your browser always displays domains with non-Latin letters as Punycode. Moreover, you should never click on security-relevant URLs – like your online banking homepage – but save them as bookmarks.
If you find yourself on a website of questionable authenticity, take the following steps:
- Check whether the site was opened via HTTPS encryption: Most modern websites support HTTPS encryption. Nowadays, every webpage that obtains data from you – e.g. a password or a form – should always and only be loaded via HTTPS. If this isn’t the case, there is a heightened risk that the website is a fake.
- Check the SSL certificate: If the website was loaded via HTTPS encryption, you can view the SSL certificate of the server. Make sure that the certificate refers to the organization allegedly behind the website. If it doesn’t, you may have ended up on a falsified website.
- If your doubts seem substantiated, close the browser window.
Digital access is a serious matter. Once confidential data is stolen, it can often be difficult to limit the damage. So, it’s better to be overcautious than careless.