According to recent evidence put out by Internet security researchers, over a quarter of all domain names that incorporate characters that aren’t part of the normal Roman set were registered by scammers. Support for these characters has unintentionally opened the door for a certain type of fraud that comes from abusing how they might look to English speakers.
The Unicode Consortium works hard to produce a character set that supports a wide variety of languages. Some of these languages have characters that superficially look like they could be part of the Roman alphabet, which scammers have used to create domain names that appear to be those of popular brands.
Increased support for domain names in other languages was heralded as a way for people who use languages that write with something other than these Latin letters to use the web without any impediments. Unicode has allowed international users unfettered access to sites in their own languages without having to resort to using characters that are foreign to them.
However, it’s also accidentally provided crackers with over 8,000 individual characters that could be read as Roman glyphs. For instance, a criminal could create a domain name out of characters that look like the name of a popular bank even when said bank’s name has already been registered.
On a binary level, the Unicode glyphs aren’t the same as the ASCII ones used to register the domain name in the first place thus making this possible.
While few users have a keyboard layout that’s capable of writing these extended characters, they could be tricked into following links that lead to a site like this and they would be none the wiser. Tablet and smartphone browsers are at a greater risk for this kind of exploit because it’s more difficult to tell the difference between various character sets when looking at low resolution typefaces.
Researchers from Farsight Security found out of 100 million non-English domain names they looked at, around 27 percent were tricky ones designed to make people think that they were looking at an official page when they were really on one run by crackers.
Users are encouraged to be vigilant and ensure they don’t follow links from places that don’t have their full trust.