What is a Homograph Attack?

A homograph attack — often called an IDN homograph attack — is the registration of a domain that looks identical to a legitimate one by swapping in characters from other alphabets that share the same shape as Latin letters. Where a typo-based lookalike relies on a misspelling you might notice, a homograph can render as a pixel-for-pixel copy of the real name, which is what makes it so dangerous.

The attack is built on internationalized domain names (IDN), the system that lets domains contain non-Latin scripts such as Cyrillic, Greek, or various accented characters:

1. Many characters across scripts are visually identical — the Cyrillic letter that looks like a Latin a is the classic example.
2. An attacker registers a domain that substitutes one or more of these lookalikes for the Latin letters in a real brand name.
3. Behind the scenes the name is stored as Punycode, an ASCII encoding that begins with the prefix xn--, so the two domains are technically different.
4. If software displays the decoded Unicode form rather than the Punycode, the spoofed name appears the same as the genuine one to the user.

A frequently cited proof of concept registered a version of a well-known brand in which every Latin letter was replaced by an identical-looking Cyrillic character. The address bar showed what appeared to be the real domain, yet it resolved to an entirely different registration whose true Punycode form looked nothing like the original.

Mixed-script names are another variant, where only one or two characters are swapped — easy to overlook because the rest of the name is genuine Latin text. In every case the underlying Punycode is distinct, which is the thread defenders pull on.

• Use browsers that reveal Punycode — modern browsers display the raw xn-- form for names that mix scripts suspiciously, so the spoof becomes obvious.
• Lean on registry policies — many registries restrict which scripts can be combined in a single label, shrinking the pool of usable lookalikes.
• Register defensively — claim internationalized variants of your brand where it makes sense, just as you would with typo variants.
• Monitor for lookalikes — similar domain detection watches for newly registered domains that resemble yours, including IDN homographs, so you can investigate and act early.

Homograph attacks and typosquatting share the same goal — a domain that fools users into trusting an impostor — but differ in method. Typosquatting exploits human mistakes by registering plausible misspellings, while a homograph attack exploits the visual ambiguity of Unicode to produce a name that is not misspelled at all but simply not what it appears to be. Both are best countered by anticipating likely variants and monitoring continuously for new registrations.