What are homograph domain attacks? 

Homograph domain attacks, closely linked to typosquatting techniques, take advantage of the fact that many Unicode characters from different alphabets or scripts look visually indistinguishable or very similar to common Latin alphabet characters, allowing attackers to register domain names that, while containing deceptively similar characters, are in fact entirely different domains. 

The study ‘The COVID‐19 scamdemic: A survey of phishing attacks and their countermeasures during COVID‐19’ explains, “Attackers frequently used cybersquatting and typosquatting techniques, or techniques to obtain homograph domain names, to make COVID-19 themed malicious websites mimic legitimate ones [94], which highlights the importance and usefulness of detecting such modified URLs.”

The attacks are often used in conjunction with other cyberattack techniques, amplifying their threat. For example, attackers combine homograph domains with phishing emails, social engineering tactics, malware distribution, and credential harvesting to create multi-layered attacks. In these combined attacks, victims are deceived by the visual similarity of the domain name when clicking on a phishing link. 

Understanding homograph domain attacks

Homograph domain attacks are a type of phishing attack where attackers create lookalike domains by exploiting visually similar characters from different alphabets. It tricks users into thinking they’re visiting a trusted source. A study published in HAL Open Science states, “Homograph attack is a way that the attackers deceive victims about what domain they

are communicating with by exploiting the fact that many domains look alike.”

An example of this is an attacker replacing the letter “o” in a legitimate domain with a Cyrillic “o” to create a domain that appears almost identical. The prevalence of this form of cyberattack brings to light a major challenge in cybersecurity: the lack of training in recognizing and avoiding lookalike domains. 

How homograph attacks are used against email 

1. Attackers create email addresses with lookalike domains making it appear as if it's from a trusted sender. (e.g., “support@hea1thcare.com” instead of “support@healthcare.com”). 
2. Links within emails could direct users to fake websites that look like their healthcare organizations designed to capture their data.
3. Attackers could impersonate a healthcare provider’s vendors or suppliers using similar domains to request unauthorized payments. 
4. Emails appearing to be from the internal IT department or trusted external tech support can trick healthcare staff into providing access to the system. 
5. Attackers may use domains that look similar to regulatory agencies to request compliance documentation or access to patient records under the guise of audits.
   
   

The types of homograph attacks that could impact healthcare organizations

There are three main types of homograph attacks that are a risk to healthcare entities. These include homograph domain attacks, homograph email spoofing, and identity homograph impersonation. Each of these leverages visual similarity, using cunningly chosen alternate characters, to undermine trust, steal sensitive information, and disrupt critical healthcare operations.

Homograph domain attacks are at the forefront of digital impersonation threats. A hacker registers a domain name that looks nearly identical to a legitimate hospital’s patient portal but replaces a common Latin letter with a visually indistinguishable Cyrillic or Greek character. These look-alike domains can be seeded in emails, social media, or advertisements, enticing healthcare staff or patients to click on links that seem perfectly trustworthy.

Homograph email spoofing attacks are also particularly effective in breaching healthcare defenses. Cybercriminals craft email addresses that mimic trusted internal sources or external partners by swapping Latin characters with homoglyphs, letters that look alike but have different Unicode values. This is fatal in settings where clinicians and administrators communicate about sensitive patient information or authorize transactions via email.

A Missouri Medicine analysis explains, “the healthcare industry is the perfect cyber-attack victim because it depends on technology for patient care and revenue cycles,” and it has now become “the number one victim of cyber attacks.”

Identity homograph impersonation on healthcare applications and telemedicine platforms is a newer trend. As healthcare providers begin using digital tools more often for direct patient engagement, attackers exploit similarities in user names and handles to pose as legitimate healthcare providers or administrative staff. 

Patients seeking care or follow-up instructions can be misled by malicious actors who use homograph-based impersonation, unintentionally divulging PHI or making payments to fraudulent accounts. Where “cyber attacks on interoperable EHRs are a clear and present danger to patient’s access to healthcare and personal information,” the risks of homograph exploitation become even more pressing.

The recent history of homograph domain attacks

A report from the Health Sector Cybersecurity Coordination Center (HC3) indicates that homograph attacks, particularly those involving Cyrillic characters, are “evolving into a formidable challenge for healthcare cybersecurity executives.” These are used in phishing campaigns mimicking trusted domain names.

The report offers the following advice when it comes to identifying these attacks, “Oftentimes, hackers will use a URL for their spoofed website that is just one character off from the legitimate site, such as using “https://www.apple.com” versus “https://www.appIe.com.” Before clicking on any website from an email asking you to act, hover over the link with your cursor. This will allow you to preview the URL and identify any suspicious misspellings or grammatical errors before navigating to a potentially dangerous website.” 

The solution 

HIPAA compliant email platforms like Paubox offer security that goes beyond encryption. These systems can easily be integrated with threat detection software and have domain filtering built in allowing for the monitoring of unusual domain patterns and alerts. This helps organizations identify fake or compromised domains sent to the healthcare organization to imitate trusted sources. 

The benefit of using HIPAA compliant email is also found in its ability to allow providers to easily communicate cybersecurity awareness with patients. The integration of educational content informing patients about common attacks used to imitate and access their data and the practices they should use to avoid it can assist in not only protecting patients but also improving the physician-provider relationship through trust.

Related:  Top 12 HIPAA compliant email services

FAQs

Is consent necessary to send an email?

Consent is required when sending an email for reasons not related to treatment, payment, or operations. 

What is phishing? 

A type of cyberattack where attackers trick people into sharing information by pretending to be trustworthy sources. 

How is exploited PHI commonly used?

It is commonly used by cybercriminals for identity theft, financial fraud, or selling it on the dark web.