Skip to main content
短.be

Homograph Attack

A phishing technique that uses visually similar Unicode characters to impersonate a legitimate domain. Extremely difficult to detect by eye.

Dec 9, 2025 · About 1 min read

Security

A homograph attack (also called an IDN homograph attack) exploits visually identical or near-identical Unicode characters to forge a domain name that looks like a legitimate one. For example, the Latin letter "a" (U+0061) and the Cyrillic letter "a" (U+0430) are indistinguishable to the human eye but are treated as different characters by computers.

A concrete example: replacing the Latin "a" in "apple.com" with a Cyrillic "a" produces a domain that looks identical but resolves to a completely different server. In 2017, security researcher Xudong Zheng demonstrated this technique and drew widespread attention.

Internationalized Domain Names (IDN) make this attack possible. IDN allows non-ASCII characters (Japanese, Arabic, etc.) in domain names by converting them internally to Punycode (strings starting with xn--). Browsers display the Unicode form in the address bar, making spoofed domains hard to spot.

Shortened URLs face a double risk from homograph attacks. First, the short URL service's own domain could be spoofed with homograph characters. Second, the redirect destination registered in a short URL could be a homograph phishing site. URL shortening services should convert registered domains to Punycode and check them against known phishing domain databases.

Major browsers have implemented defenses. Chrome and Firefox switch to Punycode display when a domain mixes characters from different scripts, alerting users to a potentially suspicious domain. You can find related books on Amazon.

Share on XHatena

Was this article helpful?

Related Terms

Phishing

A cyberattack that uses deceptive links and websites to trick users into revealing sensitive information.

URL Encoding

The process of converting special characters in a URL into a format that can be transmitted over the internet using percent-encoded sequences.

Percent-Encoding

A mechanism for encoding special characters in URLs by replacing them with a percent sign followed by hexadecimal digits.

HTTPS

The secure version of HTTP that encrypts data transmitted between a browser and a web server using TLS.

SSL/TLS

Cryptographic protocols that provide secure communication over the internet by encrypting data between client and server.

Internationalized Domain Name

A domain name containing non-ASCII characters (Japanese, Arabic, etc.). Internally converted via Punycode but carries homograph attack risks.

Related Articles

How to Spot and Prevent Phishing Attacks Using Short URLs

Learn to identify phishing attempts that exploit short URLs. Practical tips for protecting yourself and your organization from link-based scams.

How to Spot Suspicious URLs - 5 Checkpoints to Avoid Getting Tricked

A beginner-friendly guide to spotting phishing scams. Learn 5 easy checkpoints including the https padlock, domain reading tricks, and short URL safety.

How Link Previews Work and Their Security Risks - Safe Operation of Short URLs

Explore the technical mechanisms behind link previews (OGP) generated by SNS and chat apps, and the security risks that arise through short URLs. Learn about preview spoofing attack techniques and defense strategies.

FAQ

How can I spot a homograph attack?
Visual detection is extremely difficult. Check the browser address bar for Punycode (strings starting with xn--), which signals a potentially spoofed domain. You can also paste the URL into a text editor and inspect the character codes.
Can Japanese domains be used in homograph attacks?
Yes. Some Japanese kanji and Chinese hanzi look identical but have different Unicode code points, making them exploitable. Browser defenses have improved but are not foolproof.
Can URL shortening services detect homograph attacks?
Advanced services convert registered domains to Punycode and check similarity against known brand domains. However, detecting every possible homograph is technically challenging, so user vigilance remains important.

Ready to create a short URL?

Shorten a URL for Free