How hackers use legitimate-looking domains to attack you
- Mateusz Piaszczak, Holm Security
- Jun 19, 2019
- 3 min read
Hackers use multiple techniques of manipulation to trick you into opening a malicious website. In this article you will find information related to UTF-8 characters used in domain names. This can help to Increase your awareness and be a step ahead of the attacker.
The image above is a screenshot from the website https://www.utf8-chartable.de/unicode-utf8-table.pl (external link) where you can find more UTF-8 characters. Due to UTF-8 encoding, you are able to display non-latin alphabet characters – for example „Ø”, or „©”. Try to identify which letters look similar to the ones from a Latin alphabet? Now, just imagine that somebody registered a copy of your banks domain by using, for example, a Cyrillic letter „а” instead of a regular „a”. And then hosted a clone of this banks’ website, set up as https, to make it seem legit.
From a visual perspective, you won’t be able to identify if this link is malicious or not, since it doesn’t cоntain mіѕѕреllіngѕ оr оthеr trісkѕ that yоu might lооk for that yоu might lооk for – if you don’t believe me, try to identify which of the letters used in the bold text above are Cyrillic.
Can’t do it? Keep reading to learn more about how you can protect yourself against these frauds.
Have you ever seen emoji URLs?
Domains, that are using graphical characters are nothing new – first of them were registered in April, 2001 and since then we’ve can easily use emojis in domain names, if we wish to.
The idea of such URLs is very interesting – since there is a limit to how many languages a person is able to understand the word “Apple”? If you’ll have a domain including a symbol of an apple
anybody will understand it.
Ability to use regular .com and .net extensions
At the very beginning, it was possible to register emoji domains with extensions like .com or .net. Even today, it’s quite easy to find a website that is being hosted on a domain such as this
.com.
However, a limitation has been introduced since that time. These days, you can only register domains with the following extensions:
Why can I no longer register such a domain with the .com extension?
Emojis are not the only possible characters that can be used in “special” domain names – You’ll find that some of the graphic characters from UTF-8 are extremely similar to our alphabet letters. Now, just imagine the possibilities of registering such a domain with .com or .pl. Somebody could easily then register a domain that looks exacly like your banks domain and host a cloned website there, for example. Also – there’s nothing keeping them from implementing a https connection to it and getting a trustworthy looking padlock icon.
Does the limitation solve the fraud risks?
Not really – it does however minimize the risk – your bank’s domain with a .ws extension will look suspicious (if you are verifying the URLs before you’ll click on them!). It’s important to remember that social engineering is based on natural human behavior, needs and emotions. In such cases the attacker can encourage you to click on unusual, interesting looking URL addresses – and in some cases, it’s totally enough to hack your device (for example if you are not a big fan of update installations).
5 steps to become more resilient against these tricks:
First of all – do not click on links being sent from unknown people (in for example e-mails) – If you are dead set on opening it anyway, try to open the website (if it looks legitimate!) directly from your browser, or find it through the search engine.
Always remember to verify the domain name (for example against misspelling – it’s quite easy to confuse rn with m) and hover over a link before you click.
Remember to keep your software updated – it’s quite a universal recommendation, but it will protect you against most attackers.
Share this article – you’ll increase your friends awareness too!
Subscribe to our newsletter by clicking this link and get notifications of new security-related articles.
Mateusz Piaszczak, Holm Security
Mateusz has over 7 years of experience in the IT security industry. He is an experienced IT conference speaker, educator and pentester.
A lot of individuals exploring distance-learning options come across ccm uk while comparing different institutions. The College of Contract Management stands out through its internationally recognized programs. Learners often highlight how clear the course layouts and assessments are, which helps create a smooth and stress-free learning experience.
Wondering how to use epoxy putty effectively? This versatile, two-part adhesive repairs, seals, and molds metal, wood, plastic, and more. Just cut, mix, and apply—it hardens into a strong, sandable finish. Perfect for DIY or industrial fixes, its durability and water resistance make it essential. For expert guidance and trusted products, turn to UNICCM, your go-to resource for epoxy solutions.
Understanding the importance of risk management with a qualifi qualification helps you protect both the business and its stakeholders. The College of Contract Management offers a postgraduate program that focuses on practical risk management solutions. You will learn to make data-driven decisions that protect organizational assets. Many have successfully applied this knowledge in leadership positions after completing the course.
I enrolled in UNICCM's social media marketing online course diploma to formalize my self-taught knowledge, and it was worth every penny. The curriculum goes beyond basics to cover sophisticated techniques like technical SEO audits and performance marketing. Learning from practitioners rather than just academics made all the difference. This course will take your digital marketing abilities to the professional level.
If you're looking for a password generator free of charge that can help you create highly secure passwords, online options are plentiful. These tools are essential for avoiding weak or easily guessable passwords, which are a common target for hackers. By generating truly random combinations of characters, they make your accounts much harder to compromise. It's a fundamental step in good digital hygiene, and using a generator ensures your passwords are up to the task of protecting your sensitive information.