Cybersecurity for Financial Institutions

Cyber Threat ID
CTID Since 2007

Script Spoofing Defense

Learn more

Script Spoofing Defense

What is Script Spoofing?

Script Spoofing (also called IDN homogonous attack) is the act of using a domain name that has visually similar character(s) to imitate another domain name. IDN stands for Internationalized Domain Name.
For example, can you visually differentiate between vs. gmа ?
Also, can you visually differentiate between vs. сһаѕе.com ?

Note: To prevent fraud and visually confusable characters from different scripts, IDN domain name registrations (starting in November 8, 2005) can only be composed of characters within a limited subset of a given language (ex. only Arabic, only Japanese, only Russian, etc.). However, IDN domains originally registered in 2005 and prior do not have this limitation and can be composed with multilingual characters (mixed-script spoofing); for instance, the spoofed domain above (gmа is able to mix English and Russian characters because it was registered in 2005 or earlier.

How does Script Spoofing occur?

Typically, the offending registrant of the mimicking domain name registers the domain using IDN (Internationalized Domain Name) characters with the intent to visually imitate traditionally-used latin characters. IDN characters include Russian Cryillic, Greek, Armenian, Hebrew, Chinese, as well as characters that include an accent or variant of a symbol. The human-eye usually cannot detect the difference between such IDN characters and the traditional latin counterparts.

Where does Script Spoofing occur?

Any digital interface with text such as through Email, pdfs, texts, etc. Usually, it is seen through email.

When does Script Spoofing occur?

Script Spoofing can occur at any time, especially when the target recipients are attacked indiscriminately. However, the occurrence is more effective for the attacker if and when the sender had obtained the recipient's email address and associated identity. For example, a message that includes visually similar domain names along with the recipient's name and identifying profile ID(s) would appear less suspicious.

Why does Script Spoofing occur?

Generally, Script Spoofing occurs because attackers ultimately want to redirect unsuspecting victims to a phishing website to obtain login credentials. At the phishing website(s), the attacker does not actively ask for the victim's username and password. Instead, the unsuspecting victim would see a webpage that looks identical in layout and design to their intended destination, and the victim may attempt to sign in. After the victim's sign in attempt, the victim's login input data is immediately sent to the attacker. Afterward, the victim would be redirected to a stopgap site to attempt to obfuscate the trail. Then from the stopgap site, the victim will be redirected to the legitimate intended website. Since the redirects occur instantly, the victim may not notice any difference at all. The victim may believe that he or she entered their login information incorrectly and the page simply reset to permit another attempt. Once the victim has successfully logged into the legitimate site, the victim may dismiss any prior oddities of the original email. At this point, the attacker may have successfully obtained the unsuspecting victim's login credentials, and the victim would not know to alert anyone. Thus, weeks, months and years may pass before the attacker actually uses the victim's login credentials. This makes it hard for investigators to pinpoint where the compromise occurred.

Why should I be concerned about Script Spoofing?

Although safeguards were implemented in 2005 (mentioned above) to help minimize fraud and confusion, IDN Script Spoofing can still possibly present an online security risk if the spoofed domain was registered prior to Nov. 2005 or the domain contains characters all from one language script. In such a rare case, it is possible to cause significant damage to individuals and companies. In the event that a virus is connected to the Script Spoofing, it can result in network-wide software and hardware issues. Moreover, if login credentials are compromised, other sensitive data can be compromised. Sensitive data can include personal data, financial data, client data, and company data. Bad actors may sell or use such data to steal identities and funds. In the cyber-world, there may not be any recourse for such loss.

What are the common Script Spoofing characters?

Click here to view the common Script Spoofing characters.

How can I prevent Script Spoofing from adversely affecting me and others?

Defend against Script Spoofing by using our Script Spoofing Detector: