You’re on a website and they offer a link to bring you to another page. Easy, right? Click and go. Or someone sends you a funny text message and there’s a link to view what they sent you. Neat! Heck, you might have even used a link to get to this post. But did you know a link to another website could say one thing, but take you to a more dangerous location? For this educational post, I want to take a moment to explain an attack that has been around for some time. But first, a little bit of background.
This link here takes you to Google but it says something else – “here”. It is blue, underlined and redirects you somewhere else. You can bring your mouse over it to see where it takes you (bottom left of your browser). When a link is generated, like the links I can make on these posts, I can make the link say whatever I want then set the actual web address to anything else. Like, www.cnn.com that actually takes you to Google. Where it takes you is the important part, not so much what the link itself says in the paragraph. Knowing the actual web address you will be directed to ensures you’re informed and going there intentionally. But, unknown to many, even that web address you think you are going to could be a fake.
The homoglyph attack.
Alright, you get a link and hover over the link to see where it takes you, and you see the below.
I know, I know. You probably wouldn’t go there. At least I hope not! The idea is that the web address you see blatantly looks malicious though. It would be difficult to fool people with something that clearly looks bad. If you had the link like the above that just said, here or www.google.com but was clearly directed to the “willhackyou.com” address that you checked by hovering your browser over it, it would be easier to avoid. Remember, any time you get a link sent to you, never trust the words the link. Always check and hover over the link to see where it actually goes. But even that mechanism to see where the link sends you might not work.
For example, if you had a link that said https://www.bankofamerica.com and you hover over it and it shows the below address, would you trust it?
Seems legit right? Unfortunately, no and this location would be extremely dangerous to visit. Hackers and individuals hoping to take advantage of someone have to use techniques to trick users. The above is an example of a homoglyph attack. Let’s break down what that is and how you can protect yourself.
What is a homoglyph attack?
This attack type gets its name from homoglyphs. Homoglyphs are a glyph or character that looks similar to another but they have different meanings or origins. In the Bank of America example above, the homoglyph is the last letter ‘a’ in web address itself. That letter ‘a’ is not the same as the Latin letter ‘a’ we use in English speech, but is actually a part of the Russian, Ukrainian and other Slavic people’s alphabet, known as Cyrillic. If you look very closely, it doesn’t look quite the same as the other letters. Let’s put them side by side.
a vs. ɑ
Notice the very subtle difference? This is very intentional because the hope is that you will be in a hurry or not look too closely, and click the link that was sent to you. Then, when you visit, if the attackers made a copy of the real site location, you’re not entering your username and password at the real Bank of America site but entering it into a fake.
Browsing the Internet is a constant effort in ensuring you are going where YOU want to go, and not where someone wants to send you. Hackers and malicious actors want to pull you away from legitimate websites and send you to locations they own; where they have control over the content. That content is then served to look like somewhere legit, or run malicious activities against you. Homoglyph attacks are the next level from simply trying to send you a link that says it goes to www.google.com but goes elsewhere. It takes that effort one step further by actually registering a domain (the .com, .net, etc. address you see) that looks extremely close to where you are trying to go, and using that to trick you.
Some mitigations to consider.
All is not lost. Even with the above, there are ways to check and verify things. First, the basics. Before clicking on any link or going to any website, it’s important to first off trust who is sending it to you. Do you know who they are in person? Or, did you just meet them online? In many cases, someone wanting to push you toward a dangerous link or website will make it time sensitive. “You need to click this now.” Or maybe, “Hurry and click the link to make $500 before the time expires! Limited offer!” Any time there is a time constraint, be cautious of what you are being sent and where they want you to go.
Next is to hover over the link and see where it is directing you to. Just because the link says it is directing you to say, www.citibank.com doesn’t mean that is where the actual link is going. Carefully check the address and each of the letters.
Further from the above, you can ensure the domain is actually valid by checking it against a registrar. What this means is that you are officially looking up the domain to see if it returns somewhere valid if you’re still not sure. One location you can do this is https://www.whois.com/whois/ which provides a free lookup. In order to do this, you would right-click the link and copy the address, and then paste that address into the Search field on Whois. Do not paste the address into your web browser to check it.
Searching for the real Bank of America provides this:
If you look up the fake homoglyph version however, you get back this response as of the time of this writing:
The domain should not be available if it is the real Bank of America. The above also shows the last ‘a’ being different than the others a little more clearly.
Final thoughts.
Hopefully the above information made you a little more educated when it comes to links on the Internet. Ensure you verify who sent you the link, where it goes and if you are still suspicious, toss the web address into a lookup like Whois and see if the entry makes sense. For a lot of places I go regularly, I will directly type that address into my browser and then bookmark it to go there in the future. Instead of using links, I then just use the bookmark. Alternatively, if you get a link, type in the actual address into your browser yourself instead of relying on the link. That way you can ensure you are going where you intend to go.
Happy surfing!