CAPEC-632 Metadata
Likelihood of Attack
Low
Typical Severity
Medium
Overview
Summary
An adversary registers a domain name containing a homoglyph, leading the registered domain to appear the same as a trusted domain. A homograph attack leverages the fact that different characters among various character sets look the same to the user. Homograph attacks must generally be combined with other attacks, such as phishing attacks, in order to direct Internet traffic to the adversary-controlled destinations.
Prerequisites
An adversary requires knowledge of popular or high traffic domains, that could be used to deceive potential targets.
Execution Flow
| Step | Phase | Description | Techniques |
|---|---|---|---|
| 1 | Explore | [Determine target website] The adversary first determines which website to impersonate, generally one that is trusted and receives a consistent amount of traffic. |
|
| 2 | Experiment | [Impersonate trusted domain] In order to impersonate the trusted domain, the adversary needs to register the URL containing the homoglpyh character(s). |
|
| 3 | Exploit | [Deceive user into visiting domain] Finally, the adversary needs to deceive a user into visiting the Homograph domain. |
|
Potential Solutions / Mitigations
Authenticate all servers and perform redundant checks when using DNS hostnames. Utilize browsers that can warn users if URLs contain characters from different character sets.
Related Weaknesses (CWE)
| CWE ID | Description |
|---|---|
| CWE-1007 | Insufficient Visual Distinction of Homoglyphs Presented to User |
Related CAPECs
| CAPEC ID | Description |
|---|---|
| CAPEC-89 | A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed. |
| CAPEC-543 | Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware. |
| CAPEC-616 | An adversary provides a malicious version of a resource at a location that is similar to the expected location of a legitimate resource. After establishing the rogue location, the adversary waits for a victim to visit the location and access the malicious resource. |
Stay Ahead of Attack Patterns
Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.