It's Not What It Looks Like: Measuring Attacks and Defensive Registrations of Homograph Domains

International Domain Names (IDNs) may contain Unicode in addition to ASCII characters. This enables attackers to replace one or more characters of a well-known domain with visually similar Unicode characters to create new, look-alike domains. These so-called homograph domains are attractive for malicious activities such as phishing or scams because they may appear legitimate to potential victims.

In this paper, we propose two measurement setups to detect homograph domains and monitor their activity. Over eight months, we detected almost 3,000 homograph domains targeting technology companies as well as financial institutions. To understand this phenomenon in more detail, we monitored the activity of these domains daily for more than five months and identified multiple instances of scamming and phishing, with some campaigns being active for several months. We also detected previously undiscovered domains used for a widespread scam in which attackers promise free shoes and other goods. In many cases, these domains were not detected by classical detection approaches such as VirusTotal or Google SafeBrowsing, or reported only with a delay of several days or weeks compared to our approach. While we did observe defensive registrations of homograph domains by domain owners, we found that they were very limited in scope and did not cover all possible look-alike character replacements. To that end, we conclude our paper with recommendations for domain owners.