How to Stay Safe Online and Avoid URL Spoofing

Gavin Phillips 26-03-2018

A successful phishing attack uses trickery to fool unwitting suspects into revealing personal details or clicking a malicious link. The complexity of phishing attacks has gone from strength to strength over the years, too. And while the simple email with a fake company logo still works, scammers are going to greater lengths to implement their scams.


The latest play from the phishing scammers book is the URL spoof—a lookalike URL posing as one that you usually trust. But how does a scammer make their URL look the same? And how can you avoid being caught out? Let’s take a look.

International Domain Names: A Very Brief History

To understand how a scammer spoofs a URL, you need to understand a little more about how domain names work.

Until 2009, URLs could only comprise of the Latin letters a to z, without accents, glyphs, or any other symbols. The Internet Corporation for Assigned Names and Numbers (ICANN), a non-profit organization that maintains vital databases What URL Domain Extensions Stand For and Why They Are Needed There's a lot more to the internet that just .com, .org, and .net sites. The world of top-level domains exploded a few years ago. But what is a TLD? Let's find out. Read More intrinsic to the internet functioning, changed this system. internet users were now able to register URLs using a vast range of alternative scripts, including Greek, Cyrillic, and Chinese, as well as Latin characters containing accents and more.

There is a good reason for this change. As the internet expands, so the demographics of its user’s change. For instance, from 2009 to 2017, the number of internet users in North America grew from 259 million to 320 million, a 23-percent increase. At the same time, the number of internet users across Asia grew from 790 million to 1.938 billion, a 145-percent increase.

As the North American and a large proportion of the European market heads towards saturation, the rest of the world is only just coming online, and it is those languages and alphabets which are shaping the direction of the internet.


Scripts Allow URL Spoofing

The introduction of a wide range of new scripts to the URL domain registration was a new attack avenue for scammers. Also known as a homographic domain name attack, scammers register URLs using non-Latin characters that look exactly the same as their regular counterparts.

Let’s use the URL as an example. The regular URL uses standard Latin characters. But we can make some incredibly subtle changes to the URL using non-standard characters. In fact, this time around, is written entirely differently. How?

I replace the Latin “a” (U+0041, the character’s Unicode identifier) with an “a” (U+0430) from the Cyrillic alphabet, and the Latin “o” (U+006F) with the small Omicron (U+03BF) from the Greek alphabet. Notice the difference? Of course not. And that’s precisely why URL spoofing works. The introduction of homographic (visually similar) letters to the original URL allows a potential scammer to register the URL.

URL Spoofing - special characters


Combine the fake URL with a stolen HTTPS certificate and a scammer can impersonate the very site you’re reading this article on (wait… is this the real site?).

Other Variants

The URL is an excellent example because it has two homographic characters. At other times scammers substitute similar letters that also include accents, glyphs, diacritics, and more. Let’s use the URL again, but this time using a wider-range of substitute characters.

To illustrate the point I’ve included some pretty obvious character modifications in the above example. This is how our fake URL looks in the Google Chrome Omnibox, too.

url shortener, phishing


Stands out, right? If the URL appears as a link in an email, some users won’t catch the difference. The same can be said for the browser status bar that previews the URL you’re about to click. It is small and somewhat out of sight, so you might not notice a URL with subtler differences than our example.


You don’t have to become a victim. Some modern browsers are already taking steps to stop users visiting URL lookalike sites. Chrome, Safari, Opera, and Microsoft Edge all have mitigations in place.

Brian Krebs’ site has a great example of this mitigation tactic, where an inconspicuous-but-fake version of actually resolves to

This translation is known as “Punycode,” and many browsers use this special encoding format to provide direct protection against homograph phishing attacks. Punycode essentially locks the browser character set to a basic ASCII set containing a-z, A-Z, and 0-9 (also known as the LDH rule, for Letters, Digits, Hyphens).


Want to see how your website shapes up? Check out this domain checker that Hold Security developed. Pop your domain and corresponding top-level domain (such as .com or .org) into the search, and off you go. Luckily for us, there are no impersonators on the internet—but there are 186 possible variations if someone did want to mimic the site.

URL Spoofing - IDN checker


Internationalized domain name homograph phishing attacks aren’t all that new. They’re increasing in notoriety because scammers are making better use of their available toolset. The homograph attack is actually very similar to another domain phishing scam: typosquatting How To Protect Yourself From These 8 Social Engineering Attacks What social engineering techniques would a hacker use and how would you protect yourself from them? Let's take a look at some of the most common methods of attack. Read More .

Typosquatting is the practice of registering a slew of commonly misspelled domain names and hosting malicious content or a fake login portal for unsuspecting users. For instance, how many times have you rapidly typed “Amozon” or “Facebok?” Actually, larger sites like this sometimes account for misspellings, and you’ll end up at the right place… most of the time. You should remain vigilant, though.

Staying Secure and Avoiding Spoofed URLs

Spotting a doctored or tampered URL comes with its own set of difficulties. Moreover, if the malicious URL has a “legitimate” HTTPS certificate What Is a Website Security Certificate? What You Need to Know Website security certificates help make the web more secure and safer for online transactions. Here's how security certificates work. Read More , it makes detection that bit harder. But you don’t have to struggle alone.

As previously mentioned, your browser attempts to mitigate this issue already by forcing all URLs to adhere to Punycode. Outside the browser, however, you’re more or less flying solo—but here are a few tips, nonetheless.

And, as ever, education as to the myriad security threats we face online 6 Free Cyber Security Courses That'll Keep You Safe Online Puzzled about online security? Confused about identity theft, encryption, and how safe it is to shop online? We've compiled a list of 6 free cyber security courses that will explain everything, ready to take today! Read More is the best mitigation tactic of all. Once you start to notice some of the more obvious malicious online activities taking place around you, you’re immediately working much safer.

Related topics: Online Security, Phishing.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. ReadandShare
    March 27, 2018 at 5:44 pm

    I think this is one important area where password managers (e.g. LastPass) shines. You get it to memorize specific webpage(s) to populate your user ID's and passwords. Once that's done, spoofed webpages that can fool you and me won't fool the password manager.

    So, if you come across a page that looks right but your password manager refuses to populate the log-in credentials, that should be a red flag for you. Don't go forcing it, but instead go to the log-in page via your bookmarks or type the address in yourself.

    • Gavin Phillips
      March 27, 2018 at 6:26 pm

      Thanks, ReadandShare, that's a really great tip!