Serangan homograf IDN

What is an IDN Homograph Attack?

An IDN homograph attack is a phishing technique that exploits the Internationalized Domain Names in Applications (IDNA) standard to register domain names that look visually identical to legitimate domains but are composed of different Unicode characters. The attack was formally described by Evgeniy Gabrilovich and Alex Gontmakher in a 2002 paper, though the vulnerability had been anticipated when the IDN standard was being developed.

The term combines two concepts: IDN (Internationalized Domain Names, which allow non-ASCII characters in domain names) and homograph (a word that looks like another word but has different meaning — here applied to individual characters).

How IDNA Works

The Domain Name System (DNS) was designed for ASCII characters only. IDNA extends this by encoding non-ASCII domain names as ASCII-compatible encoding (ACE) using Punycode. For example:

• The domain münchen.de is stored in DNS as xn--mnchen-3ya.de
• The domain 中文.com is stored as xn--fiq228c.com

This allows speakers of all languages to register domains in their native scripts. Unfortunately, it also enables attackers to register domains that, when rendered as Unicode, are visually indistinguishable from existing domains.

Attack Mechanics

Consider the following real-world demonstration from 2017:

Security researcher Xudong Zheng registered аррlе.com — a domain where all five characters are Cyrillic lookalikes for the Latin letters a, p, p, l, e. The Punycode form is xn--80ak6aa92e.com. When Chrome and Firefox rendered this domain in their address bars (before the patch), users saw apple.com — indistinguishable from the genuine Apple website.

The attack succeeds because:

1. IDNA2008 (the current standard) does not prohibit mixing visually similar characters across scripts
2. Browsers historically displayed the Unicode form of domain names, not Punycode
3. TLS certificates can be issued for IDN domains, so the padlock icon provides false assurance

Real-World Examples

• 2005: The first documented IDN phishing attempts targeting PayPal and eBay
• 2017: Xudong Zheng's xn--80ak6aa92e.com demonstration forced Chrome and Firefox to update their rendering policies
• Ongoing: Security researchers regularly discover registered IDN lookalikes for banking, social media, and government domains

Browser Defenses

Browsers apply various heuristics to decide whether to display a domain as Unicode or Punycode:

• Firefox: Displays Punycode for any domain containing characters from multiple scripts unless the domain's TLD operator has whitelisted it
• Chrome: Uses a script-mixing heuristic combined with a block-list of known confusable patterns
• Safari: Converts to Punycode for mixed-script domains

These heuristics are not foolproof. Single-script attacks (all Cyrillic lookalikes) may still render as Unicode in some browsers.

Registrar Defenses

Some domain registrars and TLD operators implement IDNA-aware screening:

• Prohibiting registration of domains that are confusable with existing popular domains
• Restricting IDN registrations to a single script per label
• Requiring additional verification for IDN registrations

The .com and .net TLDs managed by Verisign apply mixed-script restrictions. However, enforcement varies widely across registrars and TLDs.

Quick Facts