Homograph Attacks: Invisible Characters Fooling Your Customers

What are Homograph Attacks?

Homograph attacks exploit characters from different alphabets that look identical to standard letters. The Cyrillic “а” looks exactly like the Latin “a” but is a completely different character. An attacker can register аpple.com (with Cyrillic а) instead of apple.com (with Latin a)—and most people can’t tell the difference.

How Lookalike Characters Work

Cyrillic Confusion

Many Cyrillic letters are visually identical to Latin letters:

• а (Cyrillic) vs a (Latin)
• е (Cyrillic) vs e (Latin)
• о (Cyrillic) vs o (Latin)
• р (Cyrillic) vs p (Latin)
• с (Cyrillic) vs c (Latin)

Unicode Variations

Unicode includes multiple versions of similar characters:

• Different letter widths
• Characters with invisible modifiers
• Greek letters that match Latin ones

Punycode Translation

Internationalized Domain Names (IDNs) use Punycode to convert non-ASCII characters. аpple.com (Cyrillic а) becomes xn--pple-43d.com in Punycode. The display shows the readable version, hiding the deception.

Why These Are Especially Dangerous for E-commerce

Homograph attacks are particularly effective against Shopify merchants because:

• Visual trust: Customers check the URL bar for security. A perfect-looking URL passes inspection.
• Payment intent: E-commerce customers are ready to enter payment information.
• Email links: Homograph URLs in emails are virtually impossible to detect without inspection.
• Mobile difficulty: Smaller screens make character inspection even harder.

A customer might receive a phishing email with a link to yоurstore.com (Cyrillic о) and have no way to tell it’s not your real domain.

Real-World Examples

• gооgle.com using Cyrillic о characters
• аmazon.com with a Cyrillic а
• applе.com with a Cyrillic е
• Bank and payment processor domains using mixed scripts

These domains load in browsers showing what looks like the legitimate URL.

Detection Methods

Manual Inspection

Copy the URL and paste it into a plain text editor. Homograph characters often display differently when the font changes.

Browser Protections

Modern browsers may:

• Show Punycode instead of the display character
• Display warnings for mixed-script domains
• Block known homograph domains

However, browser protections aren’t comprehensive—attackers continuously find new approaches.

Domain Monitoring

Automated scanning for domains that visually match your brand catches homograph registrations.

Browser Protections and Their Limits

Browsers have implemented various defenses:

• Chrome: Shows Punycode for suspicious mixed-script domains
• Firefox: Displays IDN as Punycode by default for some TLDs
• Safari: Uses various heuristics to detect spoofing

But limitations exist:

• Same-script homographs still display normally
• Protections vary by browser version
• New homograph techniques emerge regularly
• Many users ignore or don’t notice warnings

How Recon Helps

Recon protects your Shopify store from homograph attacks by:

• Scanning for domain registrations using lookalike characters
• Monitoring Cyrillic and Unicode variants of your brand
• Alerting you when potential homograph domains are registered
• Providing takedown guidance for infringing domains

FAQ

Q: Can I register homograph versions of my own domain defensively?

A: Some registries restrict mixed-script registrations, making defensive registration impossible. Where allowed, registering obvious variants adds protection, but the number of possible combinations is vast.

Q: How do I know if a customer was targeted by a homograph attack?

A: Customers may report receiving emails or seeing ads with “your” domain that led to a different site. Check the URL they visited—if it looks like yours but isn’t, it’s likely a homograph.

Q: Are homograph attacks common?

A: They’re less common than typosquatting because they require more sophistication, but they’re particularly dangerous because they’re nearly impossible for humans to detect visually.