Visual Deception
In the early days of the internet, phishing domains were obvious. Attackers used domains like paypal-login-update-account.com. Today, attackers are much smarter. They use Internationalized Domain Names (IDN) to perform Homograph (or Homoglyph) attacks.
What is a Homoglyph?
A homoglyph is a character from a different language script (like Cyrillic or Greek) that looks exactly like a Latin character. For example:
- The Latin "a" (U+0061)
- The Cyrillic "а" (U+0430)
To the human eye, they are indistinguishable. To a computer, they are completely different strings. An attacker can register pаypal.com (using the Cyrillic 'а'). When a user clicks the link, it looks perfect in the address bar, but they are actually on a malicious server.
Punycode Translation
Because the DNS system only understands ASCII characters, browsers use an encoding called Punycode to translate these foreign characters. The Cyrillic pаypal.com translates to xn--pypal-4ve.com under the hood.
While modern browsers try to defend against this by displaying the Punycode version if they detect mixed scripts, attackers have found bypasses by registering entire domains using a single foreign script, confusing the browser's defense mechanisms.
How to Detect It
Standard regex string matching is completely blind to homoglyph attacks. To protect your brand, you need an engine that understands Unicode visual equivalency.
Tetik.NET features a proprietary Visual Threat Engine. It converts incoming domain registrations into visual matrices and compares the mathematical structure of the characters against your brand's ASCII representation. If an attacker tries to sneak a Cyrillic character past your defenses, Tetik.NET flags it instantly.