Unicode Spoofing

What is Unicode Spoofing?

Unicode spoofing is a class of cyberattack that exploits the visual similarity between Unicode characters to deceive users, systems, or automated tools. Rather than hacking servers or stealing credentials directly, Unicode spoofing attacks manipulate human perception — making something malicious appear legitimate by substituting visually identical characters from different Unicode code points.

The attack is possible because Unicode encodes over 149,000 characters from more than 150 scripts, and many characters across those scripts look identical or nearly identical when rendered on screen. A Latin a, a Cyrillic а, and a Greek α are three different code points, but most fonts render them identically.

How Unicode Spoofing Works

The general pattern involves three steps:

1. Identify a target string — a domain name, username, file name, or code identifier that the attacker wants to impersonate
2. Substitute lookalike characters — replace one or more characters with visually identical Unicode equivalents from a different script or block
3. Deploy the spoofed string — register the domain, create the account, commit the file, or send the message

To a human reader — and to many software systems that do not perform script analysis — the spoofed string appears identical to the original.

Common Attack Scenarios

Phishing via IDN homograph attack An attacker registers аpple.com where а is Cyrillic (U+0430) instead of Latin (U+0061). The domain resolves to a phishing server. Users who click a link to this domain see what looks like apple.com in the address bar, especially in older browsers or email clients that do not display Punycode.

Username impersonation On platforms that allow Unicode usernames, an attacker creates @elоn with a Cyrillic о (U+043E). Followers of the real @elon may be deceived into interacting with the fake account, especially in notifications or @mentions.

Source code backdoors A malicious contributor submits code containing a function def verify_раssword(...) where р and а are Cyrillic. The function appears to be verify_password in code review. The real verify_password function is never called in certain paths, allowing authentication bypass.

File name spoofing A malicious file named report_finalе.pdf uses a Cyrillic е (U+0435) at the end. File managers display it identically to report_finale.pdf. Combined with bidirectional override characters, the displayed filename can be made to look entirely different from the actual filename.

Mitigation Techniques

At the browser level: Modern browsers convert internationalized domain names containing mixed scripts to Punycode display (e.g., xn--pple-43d.com) to alert users to potential spoofing.

At the platform level: Social platforms can normalize usernames by mapping confusable characters to a canonical form, then preventing registration of two usernames that normalize identically.

At the application level: Developers can apply Unicode TR39 confusables checks to any identifier or string that will be displayed to users alongside other identifiers.

At the code review level: Security-aware editors and static analysis tools can flag source files that contain characters outside the expected ASCII or script range.

Quick Facts