A Unicode-based attack known as a homograph attack can falsify a domain name—all the way down to secure HTTPS. Since it can so convincingly mimic a legitimate domain, it isn’t just the average user at risk but also seasoned IT pros.
Brandon Vigliarolo writes, “Homograph attacks, which involve substituting Unicode with regular ASCII letters to fake a domain name, have been around since the early 2000s. Modern web browsers are built to detect homograph attacks, but software engineer Xudong Zheng figured out a way to beat the filters.
“The problem is a serious one, but thankfully is only a problem in Google Chrome, Firefox, and Opera. Want to know if you’re vulnerable? Head over to Zheng’s blog and check out his proof of concept link to a fake Apple domain.
“What you would see if you were protected would be the real domain name: https://www.xn—80ak6aa92e.com. Because it’s named with Unicode substitutions for a, p, l, and e it displays as a completely legitimate domain name—it’s even secured with HTTPS.
“Zheng discovered that when a domain is named with a set of Unicode letters from a single language (typically Russian) it bypasses the filters in Chrome, Firefox, and Opera.”