The ABCs of Anti-Phishing and Web Access Protection

Next story
Patrik Sučanský, ESET Senior Software Engineer

Homoglyph attacks: high-value targets are protected by ESET

The Cypriot security watchdog, CSIRT, warns about a fake PayPal site that spreads the Nemty ransomware using a so-called homoglyph attack.

Homoglyph attacks rely on replacing characters in addresses with ones that look similar – or even optically identical – but are actually different, as they belong to different alphabets. These attacks are extremely dangerous for users, as they have only a limited chance of detecting the trap.

Fortunately, ESET users are safe here. We have a set of predefined high-value targets – notably banks, financial institutions and payment platforms, prominent email services, and reputable media – which we protect against homoglyph attacks. We check all the letters in their URLs against a table of similar letters from any other alphabet and warn the user if we detect any attempt for deceiving. This security layer is part of the Anti-Phishing (and Web Access) layer in ESET’s business and consumer products.

In the mentioned attack on PayPal users, the address contained the “correct” letters taken from the Latin alphabet – with two exceptions. The attackers replaced both instances of the letter P with a “P” look-alike letter, but from a different alphabet. This “P” look-alike letter was taken from the Russian alphabet, where it is equivalent to the letter R. With this kind of swap, users have absolutely no chance to see any difference and are therefore dependent on protective technologies


Recently, we’ve also detected another homoglyph attack on users of the PayPal service. Instead of the first “a” in the well-known web address, the similarly looking “ạ” taken from the alphabet called “Latin Extended Additional” was used. This domain has also been classified as malicious.

How widespread is this threat?
The domain our users most often see impersonated using homoglyphs is, by far, apple.com. This is particularly interesting, since all the letters have been replaced with their non-Latin look-alikes. However, due to the nature of the “homoglyphed” domain, it is clear that this case is purely educational in nature.

Not counting apple.com, the most homoglyph-attacked domains belong to financial institutions. Of interest is that for the first time, a website of a cryptocurrency exchange and wallet has appeared. In this case, some users of the binance.com service have been served a modified address, with the Latin letter “n” replaced with the letter “ṇ” named “Latin Small Letter N with dot below” from the “Latin extended additional” alphabet.

With as many manipulations possible as there are letters and various alphabet systems with at least visible similarities, users need the protection provided by multilayered cybersecurity technology.