{"id":5621,"date":"2026-05-21T14:35:13","date_gmt":"2026-05-21T14:35:13","guid":{"rendered":"https:\/\/adex.com\/blog\/?p=5621"},"modified":"2026-05-21T14:35:14","modified_gmt":"2026-05-21T14:35:14","slug":"homograph-attack-fake-urls","status":"publish","type":"post","link":"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/","title":{"rendered":"Homograph Attacks: When URLs Look Identical but Aren&#8217;t"},"content":{"rendered":"\n<p>A user types <strong><em>paypal.com<\/em><\/strong> into the address bar. The site loads. The padlock is green. The TLS certificate is valid. The branding is correct. And the credentials they enter go straight to an attacker, because the domain wasn&#8217;t <strong><em>paypal.com<\/em><\/strong>. It was <strong><em>p\u0430ypal.com<\/em><\/strong>, with a Cyrillic &#8220;\u0430&#8221; in place of the Latin one. To the eye, identical. To DNS, a completely different domain.<\/p>\n\n\n\n<p class=\"has-background\" style=\"background-color:#d6d6d630\">This is a homograph attack, and it&#8217;s one of the few impersonation techniques that exploit a flaw in human perception rather than a software flaw. It doesn&#8217;t depend on tricking distracted users into misreading a URL. Even a careful person, looking directly at the address bar, sees the brand they expect.<\/p>\n\n\n\n<p>For adtech, affiliate operations, and brand teams, the relevance is direct. Homograph and look-alike domains increasingly impersonate networks, advertisers, and publishers in phishing, ad-fraud landing infrastructure, and reputation attacks.&nbsp;<\/p>\n\n\n\n<p>What follows is the mechanism itself, where defenses break, and how to think about exposure operationally rather than theoretically.<\/p>\n\n\n<div class=\"toc\"><h4 class=\"toc__title\" id=\"contents\">Contents<\/h4><ul class=\"toc__list\"><li class=\"toc__list_item\"><a href=\"#the-side-by-side-most-defenders-underestimate\">The Side-by-Side Most Defenders Underestimate<\/a><\/li><li class=\"toc__list_item\"><a href=\"#spot-the-difference\">Spot the Difference<\/a><\/li><li class=\"toc__list_item\"><a href=\"#what-is-a-homograph-attack\">What Is a Homograph Attack?<\/a><\/li><li class=\"toc__list_item\"><a href=\"#how-the-attack-actually-works\">How the Attack Actually Works<\/a><\/li><li class=\"toc__list_item\"><a href=\"#how-a-homograph-attack-moves-through-the-chain\">How a Homograph Attack Moves Through the Chain<\/a><\/li><li class=\"toc__list_item\"><a href=\"#where-the-address-bar-stops-protecting-you\">Where the Address Bar Stops Protecting You<\/a><\/li><li class=\"toc__list_item\"><a href=\"#why-adtech-is-a-particular-target\">Why Adtech Is a Particular Target<\/a><\/li><li class=\"toc__list_item\"><a href=\"#real-incidents-worth-knowing\">Real Incidents Worth Knowing<\/a><\/li><li class=\"toc__list_item\"><a href=\"#homograph-typosquat-incidents-in-the-wild\">Homograph &amp; Typosquat Incidents in the Wild<\/a><\/li><li class=\"toc__list_item\"><a href=\"#the-confusable-universe-is-larger-than-most-defenders-think\">The Confusable Universe Is Larger Than Most Defenders Think<\/a><\/li><li class=\"toc__list_item\"><a href=\"#categories-of-domain-confusables\">Categories of Domain Confusables<\/a><\/li><li class=\"toc__list_item\"><a href=\"#a-defense-layer-comparison-that-actually-helps\">A Defense Layer Comparison That Actually Helps<\/a><\/li><li class=\"toc__list_item\"><a href=\"#when-defensive-domain-registration-stops-making-sense\">When Defensive Domain Registration Stops Making Sense<\/a><\/li><li class=\"toc__list_item\"><a href=\"#the-false-positive-problem-nobody-discusses\">The False Positive Problem Nobody Discusses<\/a><\/li><li class=\"toc__list_item\"><a href=\"#what-to-do-differently-on-monday\">What to Do Differently on Monday<\/a><\/li><li class=\"toc__list_item\"><a href=\"#the-underlying-point\">The Underlying Point<\/a><\/li><li class=\"toc__list_item\"><a href=\"#faq\">FAQ<\/a><\/li><\/ul><\/div><style>\n.toc {}\n.toc__title {\n      font-size: 32px;\n    line-height: 40px;\n    font-weight: 700;\n}\n.toc__list_item {\n    color: #FE645A !important;\n}\n.toc__list_item:not(:last-child){\n    margin-bottom: 5px;\n}\n.toc__list_item a {\n    font-size: 18px;\n    line-height: 24px;\n    color: #FE645A;\n    font-weight: 600;\n}\n.toc__list_item a:hover {\n    text-decoration: underline;\n}\n@media (max-width: 1023px) {.toc__title {font-size: 24px;line-height: 32px;}}\n<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-side-by-side-most-defenders-underestimate\">The Side-by-Side Most Defenders Underestimate<\/h2>\n\n\n\n<div class=\"adex-homograph-block\">\n  <style>\n    .adex-homograph-block {\n      max-width: 760px;\n      margin: 24px auto;\n      padding: 28px 24px 24px;\n      background: #ffffff;\n      border: 1px solid #e3e6f0;\n      border-radius: 14px;\n      font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", sans-serif;\n      color: #160b52;\n      box-sizing: border-box;\n      overflow: hidden;\n    }\n    .adex-homograph-block *,\n    .adex-homograph-block *::before,\n    .adex-homograph-block *::after {\n      box-sizing: border-box;\n    }\n    .adex-homograph-block .adex-hg-eyebrow {\n      margin: 0 0 8px;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 12px;\n      line-height: 1.2;\n      letter-spacing: 0.2em;\n      text-transform: uppercase;\n      font-weight: 800;\n      color: #ff4f4f;\n    }\n    .adex-homograph-block .adex-hg-title {\n      margin: 0 0 24px;\n      font-size: 24px;\n      line-height: 1.12;\n      letter-spacing: -0.03em;\n      font-weight: 900;\n      color: #16006f;\n    }\n    .adex-homograph-block .adex-hg-grid {\n      display: grid;\n      grid-template-columns: repeat(2, minmax(0, 1fr));\n      gap: 16px;\n      margin-bottom: 20px;\n    }\n    .adex-homograph-block .adex-hg-browser {\n      min-height: 300px;\n      background: #fbfcff;\n      border: 1px solid #dfe4f2;\n      border-radius: 12px;\n      overflow: hidden;\n    }\n    .adex-homograph-block .adex-hg-browser-spoof {\n      border-color: #ffb8b2;\n      background: #fffafa;\n    }\n    .adex-homograph-block .adex-hg-topbar {\n      display: flex;\n      align-items: center;\n      gap: 6px;\n      padding: 11px 14px;\n      background: #f0f2fb;\n      border-bottom: 1px solid #dfe4f2;\n    }\n    .adex-homograph-block .adex-hg-browser-spoof .adex-hg-topbar {\n      background: #fff0ef;\n      border-bottom-color: #ffb8b2;\n    }\n    .adex-homograph-block .adex-hg-dot {\n      width: 9px;\n      height: 9px;\n      border-radius: 50%;\n      display: inline-block;\n      flex: 0 0 auto;\n    }\n    .adex-homograph-block .adex-hg-dot-red {\n      background: #ff4f4f;\n    }\n    .adex-homograph-block .adex-hg-dot-yellow {\n      background: #ffb800;\n    }\n    .adex-homograph-block .adex-hg-dot-green {\n      background: #02c836;\n    }\n    .adex-homograph-block .adex-hg-badge {\n      margin-left: auto;\n      padding: 4px 8px;\n      border-radius: 5px;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 10px;\n      line-height: 1;\n      letter-spacing: 0.14em;\n      text-transform: uppercase;\n      font-weight: 900;\n    }\n    .adex-homograph-block .adex-hg-badge-legit {\n      color: #009b83;\n      background: #ddf7f0;\n    }\n    .adex-homograph-block .adex-hg-badge-spoof {\n      color: #ff4f4f;\n      background: #ffe1df;\n    }\n    .adex-homograph-block .adex-hg-body {\n      padding: 14px;\n    }\n    .adex-homograph-block .adex-hg-address {\n      display: flex;\n      align-items: center;\n      gap: 9px;\n      min-height: 38px;\n      margin-bottom: 18px;\n      padding: 8px 12px;\n      background: #ffffff;\n      border: 1px solid #dfe4f2;\n      border-radius: 9px;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 15px;\n      line-height: 1.2;\n      color: #16006f;\n      box-shadow: 0 1px 0 rgba(15, 0, 99, 0.02);\n    }\n    .adex-homograph-block .adex-hg-lock {\n      width: 14px;\n      height: 14px;\n      color: #00c72f;\n      flex: 0 0 auto;\n    }\n    .adex-homograph-block .adex-hg-spoof-char {\n      display: inline-block;\n      padding: 0 2px;\n      border-radius: 3px;\n      background: #ffd7d2;\n      color: #ff4f4f;\n    }\n    .adex-homograph-block .adex-hg-warning {\n      margin: 0 0 20px;\n      padding: 13px 14px;\n      border-left: 3px solid #ff4f4f;\n      border-radius: 5px;\n      background: #fff0ef;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      color: #ff4f4f;\n    }\n    .adex-homograph-block .adex-hg-warning-small {\n      margin: 0 0 6px;\n      font-size: 10px;\n      line-height: 1.2;\n    }\n    .adex-homograph-block .adex-hg-warning-main {\n      margin: 0 0 5px;\n      font-size: 12px;\n      line-height: 1.35;\n      font-weight: 800;\n    }\n    .adex-homograph-block .adex-hg-warning-desc {\n      margin: 0;\n      font-size: 11px;\n      line-height: 1.45;\n    }\n    .adex-homograph-block .adex-hg-section-label {\n      margin: 0 0 10px;\n      padding-bottom: 8px;\n      border-bottom: 1px solid #dfe4f2;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 11px;\n      line-height: 1.2;\n      letter-spacing: 0.14em;\n      text-transform: uppercase;\n      font-weight: 900;\n      color: #8b8fac;\n    }\n    .adex-homograph-block .adex-hg-row {\n      display: grid;\n      grid-template-columns: 90px 1fr;\n      gap: 10px;\n      align-items: baseline;\n      margin-bottom: 9px;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n    }\n    .adex-homograph-block .adex-hg-label {\n      margin: 0;\n      font-size: 11px;\n      line-height: 1.25;\n      letter-spacing: 0.08em;\n      text-transform: uppercase;\n      font-weight: 900;\n      color: #8b8fac;\n    }\n    .adex-homograph-block .adex-hg-value {\n      margin: 0;\n      text-align: right;\n      font-size: 12px;\n      line-height: 1.25;\n      color: #16006f;\n    }\n    .adex-homograph-block .adex-hg-value-red {\n      color: #ff4f4f;\n    }\n    .adex-homograph-block .adex-hg-bottom {\n      padding: 14px 16px;\n      border: 1px solid #dfe4f2;\n      border-radius: 9px;\n      background: #fbfcff;\n      text-align: center;\n      font-size: 14px;\n      line-height: 1.3;\n      font-weight: 900;\n      color: #16006f;\n    }\n    .adex-homograph-block .adex-hg-separator {\n      margin: 0 8px;\n      color: #ff4f4f;\n    }\n    @media (max-width: 700px) {\n      .adex-homograph-block {\n        padding: 22px 16px;\n      }\n      .adex-homograph-block .adex-hg-title {\n        font-size: 20px;\n      }\n      .adex-homograph-block .adex-hg-grid {\n        grid-template-columns: 1fr;\n      }\n      .adex-homograph-block .adex-hg-browser {\n        min-height: auto;\n      }\n    }\n    @media (max-width: 480px) {\n      .adex-homograph-block {\n        padding: 18px 12px;\n      }\n      .adex-homograph-block .adex-hg-eyebrow {\n        font-size: 10px;\n      }\n      .adex-homograph-block .adex-hg-title {\n        font-size: 18px;\n      }\n      .adex-homograph-block .adex-hg-address {\n        font-size: 13px;\n      }\n      .adex-homograph-block .adex-hg-row {\n        grid-template-columns: 1fr;\n        gap: 3px;\n      }\n      .adex-homograph-block .adex-hg-value {\n        text-align: left;\n        font-size: 12px;\n      }\n      .adex-homograph-block .adex-hg-bottom {\n        font-size: 13px;\n      }\n      .adex-homograph-block .adex-hg-separator {\n        display: block;\n        margin: 4px 0;\n      }\n    }\n  <\/style>\n  <p class=\"adex-hg-eyebrow\">Visual \u00b7 Homograph Attack<\/p>\n  <h2 class=\"adex-hg-title\" id=\"spot-the-difference\">Spot the Difference<\/h2>\n  <div class=\"adex-hg-grid\">\n    <div class=\"adex-hg-browser\">\n      <div class=\"adex-hg-topbar\">\n        <span class=\"adex-hg-dot adex-hg-dot-red\"><\/span>\n        <span class=\"adex-hg-dot adex-hg-dot-yellow\"><\/span>\n        <span class=\"adex-hg-dot adex-hg-dot-green\"><\/span>\n        <span class=\"adex-hg-badge adex-hg-badge-legit\">Legitimate<\/span>\n      <\/div>\n      <div class=\"adex-hg-body\">\n        <div class=\"adex-hg-address\">\n          <svg class=\"adex-hg-lock\" viewBox=\"0 0 24 24\" fill=\"none\" aria-hidden=\"true\">\n            <rect x=\"5\" y=\"10\" width=\"14\" height=\"10\" rx=\"2\" stroke=\"currentColor\" stroke-width=\"2\"\/>\n            <path d=\"M8 10V7a4 4 0 0 1 8 0v3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\"\/>\n          <\/svg>\n          <span>paypal.com<\/span>\n        <\/div>\n        <p class=\"adex-hg-section-label\">Certificate Detail<\/p>\n        <div class=\"adex-hg-row\">\n          <p class=\"adex-hg-label\">Issued To<\/p>\n          <p class=\"adex-hg-value\">PayPal, Inc.<\/p>\n        <\/div>\n        <div class=\"adex-hg-row\">\n          <p class=\"adex-hg-label\">CA<\/p>\n          <p class=\"adex-hg-value\">DigiCert EV<\/p>\n        <\/div>\n        <div class=\"adex-hg-row\">\n          <p class=\"adex-hg-label\">Punycode<\/p>\n          <p class=\"adex-hg-value\">paypal.com<\/p>\n        <\/div>\n      <\/div>\n    <\/div>\n    <div class=\"adex-hg-browser adex-hg-browser-spoof\">\n      <div class=\"adex-hg-topbar\">\n        <span class=\"adex-hg-dot adex-hg-dot-red\"><\/span>\n        <span class=\"adex-hg-dot adex-hg-dot-yellow\"><\/span>\n        <span class=\"adex-hg-dot adex-hg-dot-green\"><\/span>\n        <span class=\"adex-hg-badge adex-hg-badge-spoof\">Spoofed<\/span>\n      <\/div>\n      <div class=\"adex-hg-body\">\n        <div class=\"adex-hg-address\">\n          <svg class=\"adex-hg-lock\" viewBox=\"0 0 24 24\" fill=\"none\" aria-hidden=\"true\">\n            <rect x=\"5\" y=\"10\" width=\"14\" height=\"10\" rx=\"2\" stroke=\"currentColor\" stroke-width=\"2\"\/>\n            <path d=\"M8 10V7a4 4 0 0 1 8 0v3\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\"\/>\n          <\/svg>\n          <span>p<span class=\"adex-hg-spoof-char\">\u0430<\/span>ypal.com<\/span>\n        <\/div>\n        <div class=\"adex-hg-warning\">\n          <p class=\"adex-hg-warning-small\">\u2191 position 2<\/p>\n          <p class=\"adex-hg-warning-main\">U+0430 \u2014 Cyrillic small letter a<\/p>\n          <p class=\"adex-hg-warning-desc\">Visually identical to Latin &#8220;a&#8221; (U+0061)<\/p>\n        <\/div>\n        <p class=\"adex-hg-section-label\">Certificate Detail<\/p>\n        <div class=\"adex-hg-row\">\n          <p class=\"adex-hg-label\">Issued To<\/p>\n          <p class=\"adex-hg-value adex-hg-value-red\">\u2014 (DV only)<\/p>\n        <\/div>\n        <div class=\"adex-hg-row\">\n          <p class=\"adex-hg-label\">CA<\/p>\n          <p class=\"adex-hg-value\">Let&#8217;s Encrypt<\/p>\n        <\/div>\n        <div class=\"adex-hg-row\">\n          <p class=\"adex-hg-label\">Punycode<\/p>\n          <p class=\"adex-hg-value adex-hg-value-red\">xn--pypal-4ve.com<\/p>\n        <\/div>\n      <\/div>\n    <\/div>\n  <\/div>\n  <div class=\"adex-hg-bottom\">\n    Same pixels.<span class=\"adex-hg-separator\">\u00b7<\/span>Different DNS.<span class=\"adex-hg-separator\">\u00b7<\/span>Different owner.\n  <\/div>\n<\/div>\n\n\n\n<p>If your eye can&#8217;t tell which is which, that&#8217;s the point. The rest of this article is about how to build defenses that don&#8217;t depend on your eyes.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-is-a-homograph-attack\">What Is a Homograph Attack?<\/h2>\n\n\n\n<p>A homograph attack, sometimes called an IDN homograph attack, uses visually identical or near-identical characters from different scripts (or different code points within the same script) to register a domain that looks like a legitimate one but resolves to attacker-controlled infrastructure.<\/p>\n\n\n    <div class=\"block__quote\"><p class=\"block__quote_desc\"><p>The technical foundation is Internationalized Domain Names (IDN). DNS itself only allows ASCII, so non-Latin domains are encoded into ASCII through Punycode. The Cyrillic-spoofed p\u0430ypal.com is internally xn--pypal-4ve.com. Browsers decide whether to render the Punycode form (visibly suspicious) or the Unicode form (invisibly identical to the legitimate domain) based on script-mixing rules that, as we&#8217;ll see, are not foolproof.<\/p>\n<\/p><\/div>\n    <style>.block__quote {margin: 32px 0;padding-left: 20px;border-left: 3px solid #00B8A7;}.block__quote_desc {font-weight: 700 !important;font-size: 18px !important;line-height: 28px !important;margin-bottom: 24px !important;}.block__quote_author {display: none;}<\/style>\n\n\n\n<p>The Unicode Consortium maintains a formal catalog of which characters are visually confusable with which others, in<a href=\"https:\/\/www.unicode.org\/reports\/tr39\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Unicode Technical Standard #39, &#8220;Unicode Security Mechanisms&#8221;<\/a>, and lists thousands of pairings. A homograph attack is, in essence, the weaponization of that catalog against domain trust.<\/p>\n\n\n\n<p>Three terms readers often blur, and shouldn&#8217;t:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Homograph attack \/ IDN homograph attack:<\/strong> characters from different scripts that look the same \u2014 Latin &#8220;a&#8221; vs Cyrillic &#8220;\u0430&#8221;, Latin &#8220;o&#8221; vs Greek &#8220;\u03bf&#8221;.<\/li>\n\n\n\n<li><strong>Homoglyph attack:<\/strong> broader umbrella that also includes within-script substitutions: lowercase &#8220;l&#8221; vs digit &#8220;1&#8221;, uppercase &#8220;I&#8221; vs lowercase &#8220;l&#8221;, &#8220;rn&#8221; rendered as &#8220;m&#8221;.<\/li>\n\n\n\n<li><strong>Typosquatting:<\/strong> plausible misspellings \u2013 <strong><em>gooogle.com<\/em><\/strong>, <strong><em>propelerads.com<\/em><\/strong>. Different attack classes, often combined with homoglyphs in the same campaign.<\/li>\n<\/ul>\n\n\n\n<p>The distinction matters because the defenses for each are different, and conflating them is one of the more common reasons brand-protection programs leave gaps. Most &#8220;look-alike domains attack&#8221; coverage in the wild is actually a mix of all three running at once.<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/typosquatting-case\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/adex-lookialike-domain-typosquatting.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/adex-lookialike-domain-typosquatting.png\" sizes=\"100vw\" alt=\"adex-lookialike-domain-typosquatting\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"from-domain-intelligence-to-udrp-decision-a-typosquatting-case\"><a href=\"https:\/\/adex.com\/blog\/typosquatting-case\/\">From Domain Intelligence to UDRP Decision: A Typosquatting Case<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-the-attack-actually-works\">How the Attack Actually Works<\/h2>\n\n\n\n<p>The mechanism is simpler than the defensive complexity around it suggests.<\/p>\n\n\n\n<div class=\"adex-homograph-attack-block\">\n  <style>\n    .adex-homograph-attack-block {\n      max-width: 760px;\n      margin: 24px auto;\n      padding: 28px 24px 26px;\n      background: #ffffff;\n      border: 1px solid #e3e6f0;\n      border-radius: 14px;\n      font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", sans-serif;\n      color: #160b52;\n      box-sizing: border-box;\n      overflow: hidden;\n    }\n    .adex-homograph-attack-block *,\n    .adex-homograph-attack-block *::before,\n    .adex-homograph-attack-block *::after {\n      box-sizing: border-box;\n    }\n    .adex-homograph-attack-block .adex-ha-eyebrow {\n      margin: 0 0 8px;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 10px;\n      line-height: 1.2;\n      letter-spacing: 0.22em;\n      text-transform: uppercase;\n      font-weight: 800;\n      color: #ff5050;\n    }\n    .adex-homograph-attack-block .adex-ha-title {\n      margin: 0 0 7px;\n      font-size: 22px;\n      line-height: 1.14;\n      letter-spacing: -0.03em;\n      font-weight: 900;\n      color: #16006f;\n    }\n    .adex-homograph-attack-block .adex-ha-subtitle {\n      margin: 0 0 20px;\n      max-width: 540px;\n      font-size: 13px;\n      line-height: 1.45;\n      color: #646790;\n    }\n    .adex-homograph-attack-block .adex-ha-legend {\n      display: flex;\n      flex-wrap: wrap;\n      gap: 10px;\n      margin-bottom: 22px;\n      padding-bottom: 14px;\n      border-bottom: 1px dashed #dfe4f2;\n    }\n    .adex-homograph-attack-block .adex-ha-pill {\n      display: inline-flex;\n      align-items: center;\n      gap: 6px;\n      padding: 5px 9px;\n      border-radius: 999px;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 9px;\n      line-height: 1;\n      letter-spacing: 0.12em;\n      text-transform: uppercase;\n      font-weight: 800;\n    }\n    .adex-homograph-attack-block .adex-ha-pill-green {\n      background: #e2f8f1;\n      color: #009b83;\n    }\n    .adex-homograph-attack-block .adex-ha-pill-red {\n      background: #ffe1df;\n      color: #ff5050;\n    }\n    .adex-homograph-attack-block .adex-ha-timeline {\n      position: relative;\n      padding-left: 56px;\n    }\n    .adex-homograph-attack-block .adex-ha-timeline::before {\n      content: \"\";\n      position: absolute;\n      left: 23px;\n      top: 6px;\n      bottom: 14px;\n      width: 2px;\n      background: linear-gradient(180deg, #16006f 0%, #16006f 56%, #ff5050 100%);\n      border-radius: 99px;\n    }\n    .adex-homograph-attack-block .adex-ha-row {\n      position: relative;\n      margin-bottom: 18px;\n    }\n    .adex-homograph-attack-block .adex-ha-row:last-child {\n      margin-bottom: 0;\n    }\n    .adex-homograph-attack-block .adex-ha-node {\n      position: absolute;\n      left: -56px;\n      top: 0;\n      width: 46px;\n      height: 46px;\n      border-radius: 50%;\n      background: #ffffff;\n      border: 2px solid #16006f;\n      color: #16006f;\n      display: flex;\n      align-items: center;\n      justify-content: center;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 13px;\n      line-height: 1;\n      font-weight: 900;\n      z-index: 2;\n    }\n    .adex-homograph-attack-block .adex-ha-row-danger .adex-ha-node {\n      border-color: #ff5050;\n      color: #ff5050;\n    }\n    .adex-homograph-attack-block .adex-ha-card {\n      overflow: hidden;\n      border: 1px solid #dfe4f2;\n      border-radius: 10px;\n      background: #ffffff;\n    }\n    .adex-homograph-attack-block .adex-ha-card-head {\n      display: flex;\n      align-items: center;\n      gap: 10px;\n      padding: 13px 16px;\n      border-bottom: 1px solid #dfe4f2;\n    }\n    .adex-homograph-attack-block .adex-ha-stage-label {\n      margin: 0;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 10px;\n      line-height: 1.2;\n      letter-spacing: 0.18em;\n      text-transform: uppercase;\n      font-weight: 900;\n      color: #8b8fac;\n    }\n    .adex-homograph-attack-block .adex-ha-stage-title {\n      margin: 0;\n      font-size: 15px;\n      line-height: 1.2;\n      font-weight: 900;\n      color: #16006f;\n    }\n    .adex-homograph-attack-block .adex-ha-status {\n      margin-left: auto;\n      padding: 4px 8px;\n      border-radius: 999px;\n      background: #ffe1df;\n      color: #ff5050;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 9px;\n      line-height: 1;\n      letter-spacing: 0.14em;\n      text-transform: uppercase;\n      font-weight: 900;\n      white-space: nowrap;\n    }\n    .adex-homograph-attack-block .adex-ha-card-body {\n      display: grid;\n      grid-template-columns: 1fr 1fr;\n    }\n    .adex-homograph-attack-block .adex-ha-cell {\n      padding: 14px 16px 16px;\n      min-height: 80px;\n    }\n    .adex-homograph-attack-block .adex-ha-cell + .adex-ha-cell {\n      border-left: 1px solid #dfe4f2;\n      background: #fff8f8;\n    }\n    .adex-homograph-attack-block .adex-ha-cell-label {\n      margin: 0 0 8px;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 9px;\n      line-height: 1.2;\n      letter-spacing: 0.18em;\n      text-transform: uppercase;\n      font-weight: 900;\n      color: #16006f;\n    }\n    .adex-homograph-attack-block .adex-ha-cell-danger .adex-ha-cell-label {\n      color: #ff5050;\n    }\n    .adex-homograph-attack-block .adex-ha-cell-text {\n      margin: 0;\n      font-size: 13px;\n      line-height: 1.42;\n      font-weight: 600;\n      color: #16006f;\n    }\n    .adex-homograph-attack-block .adex-ha-asymmetry {\n      display: grid;\n      grid-template-columns: 34px 1fr;\n      gap: 12px;\n      align-items: start;\n      margin-top: 26px;\n      padding: 18px 20px;\n      border-radius: 10px;\n      background: #ffe9e8;\n    }\n    .adex-homograph-attack-block .adex-ha-alert-icon {\n      width: 28px;\n      height: 28px;\n      border-radius: 50%;\n      background: #ff5050;\n      color: #ffffff;\n      display: flex;\n      align-items: center;\n      justify-content: center;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 15px;\n      line-height: 1;\n      font-weight: 900;\n      flex: 0 0 auto;\n    }\n    .adex-homograph-attack-block .adex-ha-asymmetry-title {\n      margin: 0 0 6px;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 11px;\n      line-height: 1.2;\n      letter-spacing: 0.18em;\n      text-transform: uppercase;\n      font-weight: 900;\n      color: #ff5050;\n    }\n    .adex-homograph-attack-block .adex-ha-asymmetry-text {\n      margin: 0;\n      font-size: 13px;\n      line-height: 1.45;\n      color: #16006f;\n    }\n    @media (max-width: 700px) {\n      .adex-homograph-attack-block {\n        padding: 22px 16px;\n      }\n      .adex-homograph-attack-block .adex-ha-title {\n        font-size: 19px;\n      }\n      .adex-homograph-attack-block .adex-ha-timeline {\n        padding-left: 0;\n      }\n      .adex-homograph-attack-block .adex-ha-timeline::before {\n        display: none;\n      }\n      .adex-homograph-attack-block .adex-ha-node {\n        position: static;\n        margin-bottom: 8px;\n        width: 38px;\n        height: 38px;\n        font-size: 12px;\n      }\n      .adex-homograph-attack-block .adex-ha-card-body {\n        grid-template-columns: 1fr;\n      }\n      .adex-homograph-attack-block .adex-ha-cell + .adex-ha-cell {\n        border-left: 0;\n        border-top: 1px solid #dfe4f2;\n      }\n      .adex-homograph-attack-block .adex-ha-card-head {\n        flex-wrap: wrap;\n      }\n      .adex-homograph-attack-block .adex-ha-status {\n        margin-left: 0;\n      }\n    }\n    @media (max-width: 480px) {\n      .adex-homograph-attack-block {\n        padding: 18px 12px;\n      }\n      .adex-homograph-attack-block .adex-ha-eyebrow {\n        font-size: 9px;\n      }\n      .adex-homograph-attack-block .adex-ha-title {\n        font-size: 17px;\n      }\n      .adex-homograph-attack-block .adex-ha-card-head {\n        padding: 12px;\n      }\n      .adex-homograph-attack-block .adex-ha-cell {\n        padding: 13px 12px;\n      }\n      .adex-homograph-attack-block .adex-ha-cell-text {\n        font-size: 12px;\n      }\n      .adex-homograph-attack-block .adex-ha-asymmetry {\n        grid-template-columns: 1fr;\n        padding: 16px 14px;\n      }\n    }\n  <\/style>\n  <p class=\"adex-ha-eyebrow\">Attack Chain \u00b7 Defender Visibility<\/p>\n  <h2 class=\"adex-ha-title\" id=\"how-a-homograph-attack-moves-through-the-chain\">How a Homograph Attack Moves Through the Chain<\/h2>\n  <p class=\"adex-ha-subtitle\">\n    The attacker sees every step. Defenders usually see only the earliest registration signals \u2014 and the damage report at the end.\n  <\/p>\n  <div class=\"adex-ha-legend\">\n    <span class=\"adex-ha-pill adex-ha-pill-green\">Visible early<\/span>\n    <span class=\"adex-ha-pill adex-ha-pill-red\">Invisible later<\/span>\n  <\/div>\n  <div class=\"adex-ha-timeline\">\n    <div class=\"adex-ha-row\">\n      <div class=\"adex-ha-node\">01<\/div>\n      <div class=\"adex-ha-card\">\n        <div class=\"adex-ha-card-head\">\n          <p class=\"adex-ha-stage-label\">Stage 01<\/p>\n          <h3 class=\"adex-ha-stage-title\" id=\"registration\">Registration<\/h3>\n        <\/div>\n        <div class=\"adex-ha-card-body\">\n          <div class=\"adex-ha-cell\">\n            <p class=\"adex-ha-cell-label\">Attacker Action<\/p>\n            <p class=\"adex-ha-cell-text\">Registers a visually identical IDN domain using lookalike Unicode characters.<\/p>\n          <\/div>\n          <div class=\"adex-ha-cell adex-ha-cell-danger\">\n            <p class=\"adex-ha-cell-label\">Defender Visibility<\/p>\n            <p class=\"adex-ha-cell-text\">Visible only if WHOIS, zone files, or IDN-aware monitoring are watching.<\/p>\n          <\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n    <div class=\"adex-ha-row\">\n      <div class=\"adex-ha-node\">02<\/div>\n      <div class=\"adex-ha-card\">\n        <div class=\"adex-ha-card-head\">\n          <p class=\"adex-ha-stage-label\">Stage 02<\/p>\n          <h3 class=\"adex-ha-stage-title\" id=\"certificate-setup\">Certificate Setup<\/h3>\n        <\/div>\n        <div class=\"adex-ha-card-body\">\n          <div class=\"adex-ha-cell\">\n            <p class=\"adex-ha-cell-label\">Attacker Action<\/p>\n            <p class=\"adex-ha-cell-text\">Obtains a basic DV certificate so the spoofed domain appears locked and credible.<\/p>\n          <\/div>\n          <div class=\"adex-ha-cell adex-ha-cell-danger\">\n            <p class=\"adex-ha-cell-label\">Defender Visibility<\/p>\n            <p class=\"adex-ha-cell-text\">Visible through certificate transparency logs if the brand monitors variants.<\/p>\n          <\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n    <div class=\"adex-ha-row\">\n      <div class=\"adex-ha-node\">03<\/div>\n      <div class=\"adex-ha-card\">\n        <div class=\"adex-ha-card-head\">\n          <p class=\"adex-ha-stage-label\">Stage 03<\/p>\n          <h3 class=\"adex-ha-stage-title\" id=\"delivery\">Delivery<\/h3>\n        <\/div>\n        <div class=\"adex-ha-card-body\">\n          <div class=\"adex-ha-cell\">\n            <p class=\"adex-ha-cell-label\">Attacker Action<\/p>\n            <p class=\"adex-ha-cell-text\">Sends the domain through email, ads, search results, or social channels.<\/p>\n          <\/div>\n          <div class=\"adex-ha-cell adex-ha-cell-danger\">\n            <p class=\"adex-ha-cell-label\">Defender Visibility<\/p>\n            <p class=\"adex-ha-cell-text\">Usually hidden unless the delivery channel itself is instrumented.<\/p>\n          <\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n    <div class=\"adex-ha-row\">\n      <div class=\"adex-ha-node\">04<\/div>\n      <div class=\"adex-ha-card\">\n        <div class=\"adex-ha-card-head\">\n          <p class=\"adex-ha-stage-label\">Stage 04<\/p>\n          <h3 class=\"adex-ha-stage-title\" id=\"rendering\">Rendering<\/h3>\n        <\/div>\n        <div class=\"adex-ha-card-body\">\n          <div class=\"adex-ha-cell\">\n            <p class=\"adex-ha-cell-label\">Attacker Action<\/p>\n            <p class=\"adex-ha-cell-text\">Relies on visual similarity and browser-specific IDN rules.<\/p>\n          <\/div>\n          <div class=\"adex-ha-cell adex-ha-cell-danger\">\n            <p class=\"adex-ha-cell-label\">Defender Visibility<\/p>\n            <p class=\"adex-ha-cell-text\">Victims see a domain that appears to belong to the real brand.<\/p>\n          <\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n    <div class=\"adex-ha-row adex-ha-row-danger\">\n      <div class=\"adex-ha-node\">05<\/div>\n      <div class=\"adex-ha-card\">\n        <div class=\"adex-ha-card-head\">\n          <p class=\"adex-ha-stage-label\">Stage 05<\/p>\n          <h3 class=\"adex-ha-stage-title\" id=\"exploitation\">Exploitation<\/h3>\n          <span class=\"adex-ha-status\">Invisible<\/span>\n        <\/div>\n        <div class=\"adex-ha-card-body\">\n          <div class=\"adex-ha-cell\">\n            <p class=\"adex-ha-cell-label\">Attacker Action<\/p>\n            <p class=\"adex-ha-cell-text\">Captures credentials, drops malware, or stages &#8220;scam expos\u00e9&#8221; content for reputation attacks.<\/p>\n          <\/div>\n          <div class=\"adex-ha-cell adex-ha-cell-danger\">\n            <p class=\"adex-ha-cell-label\">Defender Visibility<\/p>\n            <p class=\"adex-ha-cell-text\">Surfaces only when victims report \u2014 long after damage is done.<\/p>\n          <\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n  <\/div>\n  <div class=\"adex-ha-asymmetry\">\n    <div class=\"adex-ha-alert-icon\">!<\/div>\n    <div>\n      <p class=\"adex-ha-asymmetry-title\">The Asymmetry<\/p>\n      <p class=\"adex-ha-asymmetry-text\">\n        Defenders have only two real windows of visibility \u2014 WHOIS and CT logs \u2014 both at the very start of the chain. Everything from delivery onward happens in the dark unless the channel itself is instrumented.\n      <\/p>\n    <\/div>\n  <\/div>\n<\/div>\n\n\n\n<p>What makes the attack durable is the asymmetry of effort. Registering a confusable IDN costs the same as any other domain. A valid TLS certificate is free from public CAs and can be issued in minutes.&nbsp;<\/p>\n\n\n\n<p class=\"has-background\" style=\"background-color:#d6d6d630\">The attacker only needs the chain to work once for a given target: one click, one credential, one indexed page. Defenders have to hold a perimeter around every brand string the attacker might plausibly target, across every TLD, every script combination, and every confusable variant.<\/p>\n\n\n\n<p>That asymmetry is the actual reason this attack class survives. It isn&#8217;t technical sophistication.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"where-the-address-bar-stops-protecting-you\">Where the Address Bar Stops Protecting You<\/h2>\n\n\n\n<p>Most modern browsers implement IDN display rules to defuse the obvious cases. Chrome and Chromium-based browsers apply a <a href=\"https:\/\/chromium.googlesource.com\/chromium\/src\/+\/main\/docs\/idn.md\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">layered set of conditions<\/a> before showing a domain in Unicode rather than Punycode, including checks for mixed scripts, character whitelisting, and TLD-script alignment.&nbsp;<\/p>\n\n\n\n<p>Firefox uses a <a href=\"https:\/\/wiki.mozilla.org\/IDN_Display_Algorithm\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">similar but distinct algorithm<\/a> maintained by Mozilla. Where those rules trigger, the user sees <strong><em>xn--pypal-4ve.com<\/em><\/strong>, and the impersonation collapses.<\/p>\n\n\n\n<p>Where they don&#8217;t trigger, and there are gaps, the user sees the spoof.<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p><span style=\"font-weight: 400;\">The most-cited demonstration remains researcher <a href=\"https:\/\/www.xudongz.com\/blog\/2017\/idn-phishing\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\"><span style=\"font-weight: 400;\">Xudong Zheng&#8217;s 2017 disclosure<\/span><\/a><span style=\"font-weight: 400;\"> of <\/span><em><strong>xn--80ak6aa92e.com<\/strong><\/em><span style=\"font-weight: 400;\"> rendering as <\/span><em><strong>\u0430\u0440\u0440\u04cf\u0435.com<\/strong><\/em><span style=\"font-weight: 400;\">, a fully Cyrillic string that bypassed Chrome and Firefox&#8217;s same-script heuristic precisely because it didn&#8217;t mix scripts. Both browsers were patched, but the underlying logic, &#8220;single-script domains are probably safe,&#8221; remains a structural assumption that adversaries continue to probe.<\/span><\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<p>This is the first hidden failure mode worth naming. Browser IDN rules are heuristic, not deterministic. They&#8217;re tuned against a known catalog of confusables and a known set of bypass patterns. They don&#8217;t generalize gracefully to new TLDs, new scripts entering common use, or single-script lookalikes within recently added Unicode blocks.&nbsp;<\/p>\n\n\n\n<p>Treating the address bar as the trust boundary is treating the last and weakest layer as if it were the first.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"mobile-makes-it-worse\">Mobile makes it worse<\/h3>\n\n\n\n<p>Desktop discussion dominates this topic, but most adtech traffic is mobile. On mobile browsers, the address bar is shorter, often hidden during scroll, and frequently truncates the domain to the leftmost characters. A user who would catch <strong><em>p\u0430ypal.com<\/em><\/strong> on a 27-inch monitor often won&#8217;t catch <strong><em>accounts.p\u0430ypal-secure.com<\/em><\/strong> on an iPhone, where only <strong><em>accounts.p\u0430ypal-&#8230;<\/em><\/strong> is visible.<\/p>\n\n\n\n<p>iOS Safari, Chrome on Android, and most in-app browsers (Instagram, TikTok, Telegram WebView) all carry their own quirks in IDN rendering and certificate-warning behavior. None of them is a stronger trust boundary than desktop Chrome, and several are weaker.<\/p>\n\n\n\n<p>If your threat model includes mobile traffic, and in adtech it always does, browser-level protection is materially less reliable than the desktop case studies suggest.<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/abuse-of-trusted-domains-in-igaming\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/Adex-Subdomain-Takeover-Case-Study.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/Adex-Subdomain-Takeover-Case-Study.png\" sizes=\"100vw\" alt=\"Adex-Subdomain-Takeover-Case-Study\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/guides\/\" class=\"block__preview_box-cat\">Guides<\/a>        <h3 class=\"block__preview_box-title\" id=\"adex-detects-abuse-of-trusted-domains-in-igaming-advertising-campaigns\"><a href=\"https:\/\/adex.com\/blog\/abuse-of-trusted-domains-in-igaming\/\">Adex Detects Abuse of Trusted Domains in iGaming Advertising Campaigns<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why-adtech-is-a-particular-target\">Why Adtech Is a Particular Target<\/h2>\n\n\n\n<p>Homograph and look-alike domains tend to surface in three operational contexts inside ad-supported ecosystems, each with different consequences and different ownership inside the buying organization.<\/p>\n\n\n    <div class=\"block__quote\"><p class=\"block__quote_desc\"><p>In <strong>malvertising landing-page impersonation<\/strong>, a creative directs traffic to what visually appears to be a known retailer, fintech brand, or software vendor, but the destination is a credential-harvesting clone.\u00a0<\/p>\n<\/p><\/div>\n    <style>.block__quote {margin: 32px 0;padding-left: 20px;border-left: 3px solid #00B8A7;}.block__quote_desc {font-weight: 700 !important;font-size: 18px !important;line-height: 28px !important;margin-bottom: 24px !important;}.block__quote_author {display: none;}<\/style>\n\n\n\n<p>From the buy-side perspective, this is a brand-safety incident; from the sell-side perspective, it&#8217;s a creative-review failure; from the user&#8217;s perspective, it&#8217;s indistinguishable from a real visit until the damage is done.<\/p>\n\n\n\n<p><strong>Partner and supplier phishing<\/strong> is the costlier category in practice. Operations teams at networks, agencies, and exchanges receive a high volume of legitimate inbound from external counterparties, and a spoofed sender domain that visually matches a known partner: <strong><em>p\u0430rtner.com<\/em><\/strong>, <strong><em>examp1e.com<\/em><\/strong> \u2013 is often opened, clicked, and acted on within the same hour.<\/p>\n\n\n\n<p>The cost here is rarely a stolen password \u2013 it\u2019s wire instructions changed, a payment redirected, an API key disclosed.<\/p>\n\n\n    <div class=\"block__quote\"><p class=\"block__quote_desc\"><p><strong>Reputation infrastructure<\/strong> uses homograph or near-homograph domains to host defamatory or &#8220;scam expos\u00e9&#8221; content designed to capture branded search traffic. This overlaps more with typosquatting than with pure homograph attacks, but the operational playbook is the same.\u00a0<\/p>\n<\/p><\/div>\n    <style>.block__quote {margin: 32px 0;padding-left: 20px;border-left: 3px solid #00B8A7;}.block__quote_desc {font-weight: 700 !important;font-size: 18px !important;line-height: 28px !important;margin-bottom: 24px !important;}.block__quote_author {display: none;}<\/style>\n\n\n\n<p>ADEX&#8217;s own brand-protection team documented one such case in which a one-letter-off domain was used to host coordinated negative content against a major ad network, which was eventually transferred via WIPO proceedings. The <a href=\"https:\/\/adex.com\/blog\/typosquatting-case\/\" target=\"_blank\" rel=\"noreferrer noopener\">domain-intelligence to UDRP case study<\/a> is worth reading for the registrar data and OSINT mechanics, which apply directly to homograph cases as well.<\/p>\n\n\n\n<p>These three contexts are usually the same actors at different stages of the same campaign. The phishing infrastructure, the malvertising landing pages, and the reputation domains tend to share registrar patterns, DNS providers, and registrant fingerprints. Treating them as separate problems is one of the reasons remediation feels endless.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"real-incidents-worth-knowing\">Real Incidents Worth Knowing<\/h2>\n\n\n\n<div class=\"adex-notable-cases-block\">\n  <style>\n    .adex-notable-cases-block {\n      max-width: 760px;\n      margin: 24px auto;\n      padding: 30px 28px 28px;\n      background: linear-gradient(135deg, #f7f8fc 0%, #eef1f8 100%);\n      border: 1px solid #dfe4f0;\n      border-left: 4px solid #16006f;\n      border-radius: 14px;\n      font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", sans-serif;\n      color: #17104f;\n      box-sizing: border-box;\n      overflow: hidden;\n      position: relative;\n    }\n    .adex-notable-cases-block *,\n    .adex-notable-cases-block *::before,\n    .adex-notable-cases-block *::after {\n      box-sizing: border-box;\n    }\n    .adex-notable-cases-block::before {\n      content: \"\";\n      position: absolute;\n      top: -70px;\n      right: -70px;\n      width: 160px;\n      height: 160px;\n      border-radius: 50%;\n      background: radial-gradient(circle, rgba(22, 0, 111, 0.06) 0%, transparent 70%);\n      pointer-events: none;\n    }\n    .adex-notable-cases-block .adex-nc-header {\n      position: relative;\n      display: grid;\n      grid-template-columns: 44px 1fr;\n      gap: 14px;\n      align-items: start;\n      margin-bottom: 22px;\n    }\n    .adex-notable-cases-block .adex-nc-icon {\n      width: 36px;\n      height: 36px;\n      border-radius: 9px;\n      background: #16006f;\n      color: #ffffff;\n      display: flex;\n      align-items: center;\n      justify-content: center;\n      box-shadow: 0 6px 16px rgba(22, 0, 111, 0.24);\n    }\n    .adex-notable-cases-block .adex-nc-eyebrow {\n      margin: 0 0 14px;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 11px;\n      line-height: 1.2;\n      letter-spacing: 0.22em;\n      text-transform: uppercase;\n      font-weight: 900;\n      color: #16006f;\n    }\n    .adex-notable-cases-block .adex-nc-title {\n      margin: 0 0 8px;\n      font-size: 22px;\n      line-height: 1.16;\n      letter-spacing: -0.03em;\n      font-weight: 900;\n      color: #16006f;\n    }\n    .adex-notable-cases-block .adex-nc-subtitle {\n      margin: 0;\n      font-size: 13px;\n      line-height: 1.45;\n      font-style: italic;\n      color: #65698f;\n    }\n    .adex-notable-cases-block .adex-nc-list {\n      position: relative;\n      display: grid;\n      gap: 14px;\n      margin-top: 22px;\n    }\n    .adex-notable-cases-block .adex-nc-card {\n      position: relative;\n      padding: 18px 20px 16px;\n      background: rgba(255, 255, 255, 0.82);\n      border: 1px solid #dfe4f0;\n      border-radius: 11px;\n      box-shadow: 0 1px 0 rgba(22, 0, 111, 0.03);\n    }\n    .adex-notable-cases-block .adex-nc-card-highlight {\n      border: 2px solid #ff5050;\n      background: #ffffff;\n    }\n    .adex-notable-cases-block .adex-nc-card-title-row {\n      display: flex;\n      flex-wrap: wrap;\n      align-items: center;\n      gap: 9px;\n      margin-bottom: 10px;\n    }\n    .adex-notable-cases-block .adex-nc-card-title {\n      margin: 0;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 16px;\n      line-height: 1.25;\n      letter-spacing: -0.02em;\n      font-weight: 900;\n      color: #16006f;\n    }\n    .adex-notable-cases-block .adex-nc-badge {\n      display: inline-flex;\n      align-items: center;\n      justify-content: center;\n      padding: 4px 9px;\n      border-radius: 999px;\n      background: #e8e6f4;\n      color: #16006f;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 10px;\n      line-height: 1;\n      font-weight: 900;\n      white-space: nowrap;\n    }\n    .adex-notable-cases-block .adex-nc-badge-red {\n      background: #ff5050;\n      color: #ffffff;\n    }\n    .adex-notable-cases-block .adex-nc-text {\n      margin: 0;\n      font-size: 13px;\n      line-height: 1.45;\n      color: #25204f;\n    }\n    .adex-notable-cases-block .adex-nc-text strong {\n      color: #16006f;\n      font-weight: 900;\n    }\n    .adex-notable-cases-block .adex-nc-reference {\n      margin: 13px 0 0;\n      padding-top: 10px;\n      border-top: 1px dashed #d9deec;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 11px;\n      line-height: 1.45;\n      color: #686c91;\n    }\n    .adex-notable-cases-block .adex-nc-card-highlight .adex-nc-reference {\n      color: #ff5050;\n    }\n    @media (max-width: 620px) {\n      .adex-notable-cases-block {\n        padding: 24px 18px;\n      }\n      .adex-notable-cases-block .adex-nc-header {\n        grid-template-columns: 1fr;\n        gap: 12px;\n      }\n      .adex-notable-cases-block .adex-nc-title {\n        font-size: 20px;\n      }\n      .adex-notable-cases-block .adex-nc-subtitle {\n        font-size: 12px;\n      }\n      .adex-notable-cases-block .adex-nc-card {\n        padding: 16px 14px;\n      }\n      .adex-notable-cases-block .adex-nc-card-title {\n        font-size: 14px;\n      }\n      .adex-notable-cases-block .adex-nc-text {\n        font-size: 12px;\n      }\n    }\n    @media (max-width: 400px) {\n      .adex-notable-cases-block {\n        padding: 20px 14px;\n      }\n      .adex-notable-cases-block .adex-nc-eyebrow {\n        font-size: 10px;\n      }\n      .adex-notable-cases-block .adex-nc-title {\n        font-size: 18px;\n      }\n      .adex-notable-cases-block .adex-nc-card-title-row {\n        gap: 6px;\n      }\n      .adex-notable-cases-block .adex-nc-badge {\n        font-size: 9px;\n      }\n    }\n  <\/style>\n  <div class=\"adex-nc-header\">\n    <div class=\"adex-nc-icon\" aria-hidden=\"true\">\n      <svg width=\"19\" height=\"19\" viewBox=\"0 0 24 24\" fill=\"none\">\n        <path d=\"M7 3H14L19 8V21H7V3Z\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linejoin=\"round\"\/>\n        <path d=\"M14 3V8H19\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linejoin=\"round\"\/>\n        <path d=\"M10 13H16\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\"\/>\n        <path d=\"M10 17H15\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\"\/>\n      <\/svg>\n    <\/div>\n    <div>\n      <p class=\"adex-nc-eyebrow\">Notable Cases<\/p>\n      <h2 class=\"adex-nc-title\" id=\"homograph-typosquat-incidents-in-the-wild\">Homograph &amp; Typosquat Incidents in the Wild<\/h2>\n      <p class=\"adex-nc-subtitle\">A non-exhaustive timeline of public disclosures shaping today&#8217;s IDN threat landscape.<\/p>\n    <\/div>\n  <\/div>\n  <div class=\"adex-nc-list\">\n    <div class=\"adex-nc-card\">\n      <div class=\"adex-nc-card-title-row\">\n        <h3 class=\"adex-nc-card-title\" id=\"anple-com\">anple.com<\/h3>\n        <span class=\"adex-nc-badge\">2017<\/span>\n      <\/div>\n      <p class=\"adex-nc-text\">\n        A proof-of-concept fully Cyrillic domain rendered as <strong>apple.com<\/strong> in unpatched Chrome and Firefox builds (Xudong Zheng). Patched \u2014 but the structural single-script bypass logic remains.\n      <\/p>\n      <p class=\"adex-nc-reference\">Reference: Zheng&#8217;s original disclosure on his personal blog.<\/p>\n    <\/div>\n    <div class=\"adex-nc-card\">\n      <div class=\"adex-nc-card-title-row\">\n        <h3 class=\"adex-nc-card-title\" id=\"binance-com-%c2%b7-kraken-com-%c2%b7-coinbase-com\">binance.com \u00b7 kraken.com \u00b7 coinbase.com<\/h3>\n        <span class=\"adex-nc-badge\">2018\u20132022<\/span>\n      <\/div>\n      <p class=\"adex-nc-text\">\n        <strong>Crypto-exchange phishing waves.<\/strong> Multiple campaigns used IDN look-alikes with Latin\/Cyrillic substitutions to host credential-harvesting clones.\n      <\/p>\n      <p class=\"adex-nc-reference\">Documented by Group-IB and Recorded Future in periodic threat-landscape reports.<\/p>\n    <\/div>\n    <div class=\"adex-nc-card\">\n      <div class=\"adex-nc-card-title-row\">\n        <h3 class=\"adex-nc-card-title\" id=\"epik-registrar-wave\">Epik registrar wave<\/h3>\n        <span class=\"adex-nc-badge\">2018<\/span>\n      <\/div>\n      <p class=\"adex-nc-text\">\n        <strong>Coordinated homoglyph batch.<\/strong> Farsight Security identified hundreds of registrations targeting major banks and fintechs, channeled through a small set of registrars and resold for phishing infrastructure.\n      <\/p>\n      <p class=\"adex-nc-reference\">Source: Farsight Security research blog.<\/p>\n    <\/div>\n    <div class=\"adex-nc-card\">\n      <div class=\"adex-nc-card-title-row\">\n        <h3 class=\"adex-nc-card-title\" id=\"healthcare-sector-wave\">Healthcare-sector wave<\/h3>\n        <span class=\"adex-nc-badge\">2020\u20132021<\/span>\n      <\/div>\n      <p class=\"adex-nc-text\">\n        <strong>COVID-era impersonation.<\/strong> Multiple national CERTs reported homograph domains impersonating ministries of health and vaccine portals, used for credential phishing and malware drop pages.\n      <\/p>\n      <p class=\"adex-nc-reference\">Documented by ENISA in its 2021 threat landscape report.<\/p>\n    <\/div>\n    <div class=\"adex-nc-card adex-nc-card-highlight\">\n      <div class=\"adex-nc-card-title-row\">\n        <h3 class=\"adex-nc-card-title\" id=\"propelerads-com\">propelerads.com<\/h3>\n        <span class=\"adex-nc-badge adex-nc-badge-red\">ADEX \u00b7 2025<\/span>\n      <\/div>\n      <p class=\"adex-nc-text\">\n        <strong>Adtech reputation case.<\/strong> A typosquatting domain with one missing letter was used to host defamatory \u201cscam reveal\u201d content targeting branded search traffic.\n      <\/p>\n      <p class=\"adex-nc-reference\">Source: ADEX brand-protection investigation.<\/p>\n    <\/div>\n  <\/div>\n<\/div>\n\n\n\n<p>The pattern across these cases is that the technical novelty is low and the operational discipline is high. Attackers reuse the same registrar relationships, DV-cert pipelines, and content templates. Defenders who look for novelty miss the campaign; defenders who look for repetition catch it.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-confusable-universe-is-larger-than-most-defenders-think\">The Confusable Universe Is Larger Than Most Defenders Think<\/h2>\n\n\n\n<p>There&#8217;s a tendency to picture homograph attacks as the Cyrillic-vs-Latin example and stop there. The actual confusable surface is wider, and parts of it are routinely missed by defensive monitoring.<\/p>\n\n\n\n<div class=\"adex-domain-confusables-block\">\n  <style>\n    .adex-domain-confusables-block {\n      max-width: 800px;\n      margin: 24px auto;\n      padding: 28px 26px 24px;\n      background: #ffffff;\n      border: 1px solid #e3e6f0;\n      border-radius: 14px;\n      font-family: -apple-system, BlinkMacSystemFont, \"Segoe UI\", sans-serif;\n      color: #160b52;\n      box-sizing: border-box;\n      overflow: hidden;\n    }\n    .adex-domain-confusables-block *,\n    .adex-domain-confusables-block *::before,\n    .adex-domain-confusables-block *::after {\n      box-sizing: border-box;\n    }\n    .adex-domain-confusables-block .adex-dc-head {\n      margin-bottom: 26px;\n    }\n    .adex-domain-confusables-block .adex-dc-title {\n      margin: 0 0 7px;\n      font-size: 22px;\n      line-height: 1.15;\n      letter-spacing: -0.03em;\n      font-weight: 900;\n      color: #16006f;\n    }\n    .adex-domain-confusables-block .adex-dc-subtitle {\n      margin: 0;\n      font-size: 13px;\n      line-height: 1.45;\n      font-style: italic;\n      color: #65698f;\n    }\n    .adex-domain-confusables-block .adex-dc-tree {\n      display: grid;\n      grid-template-columns: 200px 1fr;\n      gap: 26px;\n      position: relative;\n    }\n    .adex-domain-confusables-block .adex-dc-hub-col {\n      position: relative;\n      padding-top: 0;\n    }\n    .adex-domain-confusables-block .adex-dc-hub {\n      position: sticky;\n      top: 18px;\n      min-height: 140px;\n      border-radius: 12px;\n      background: linear-gradient(135deg, #16006f 0%, #30206f 100%);\n      color: #ffffff;\n      display: flex;\n      flex-direction: column;\n      align-items: center;\n      justify-content: center;\n      text-align: center;\n      box-shadow: 0 12px 24px rgba(22, 0, 111, 0.18);\n      padding: 20px 16px;\n    }\n    .adex-domain-confusables-block .adex-dc-hub-icon {\n      width: 42px;\n      height: 42px;\n      border-radius: 11px;\n      background: rgba(255, 255, 255, 0.14);\n      display: flex;\n      align-items: center;\n      justify-content: center;\n      margin-bottom: 12px;\n      color: #ffffff;\n    }\n    .adex-domain-confusables-block .adex-dc-hub-title {\n      margin: 0 0 8px;\n      font-size: 15px;\n      line-height: 1.18;\n      font-weight: 900;\n      color: #ffffff;\n    }\n    .adex-domain-confusables-block .adex-dc-hub-label {\n      margin: 0;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 9px;\n      line-height: 1.2;\n      letter-spacing: 0.18em;\n      text-transform: uppercase;\n      font-weight: 900;\n      color: rgba(255, 255, 255, 0.56);\n    }\n    .adex-domain-confusables-block .adex-dc-branches {\n      position: relative;\n      display: grid;\n      gap: 12px;\n    }\n    .adex-domain-confusables-block .adex-dc-branches::before {\n      content: \"\";\n      position: absolute;\n      left: -26px;\n      top: 26px;\n      bottom: 0;\n      width: 2px;\n      background: #dfe4f2;\n      border-radius: 99px;\n    }\n    .adex-domain-confusables-block .adex-dc-card {\n      position: relative;\n      min-height: 92px;\n      padding: 16px 18px;\n      border: 1px solid #dfe4f2;\n      border-radius: 11px;\n      background: #fbfcff;\n    }\n    .adex-domain-confusables-block .adex-dc-card::before {\n      content: \"\";\n      position: absolute;\n      left: -31px;\n      top: 24px;\n      width: 10px;\n      height: 10px;\n      border-radius: 50%;\n      background: #ffffff;\n      border: 2px solid #c8cee5;\n      z-index: 2;\n    }\n    .adex-domain-confusables-block .adex-dc-card-blind {\n      border: 2px solid #ff5050;\n      background: #fff8f8;\n    }\n    .adex-domain-confusables-block .adex-dc-card-blind::before {\n      background: #ff5050;\n      border-color: #ffd0cc;\n      box-shadow: 0 0 0 3px rgba(255, 80, 80, 0.12);\n    }\n    .adex-domain-confusables-block .adex-dc-card-top {\n      display: flex;\n      align-items: center;\n      gap: 10px;\n      margin-bottom: 10px;\n    }\n    .adex-domain-confusables-block .adex-dc-num {\n      display: inline-flex;\n      align-items: center;\n      justify-content: center;\n      min-width: 28px;\n      height: 18px;\n      padding: 0 7px;\n      border-radius: 6px;\n      background: #ececf7;\n      color: #73779c;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 10px;\n      line-height: 1;\n      font-weight: 900;\n    }\n    .adex-domain-confusables-block .adex-dc-card-blind .adex-dc-num {\n      background: #ff5050;\n      color: #ffffff;\n    }\n    .adex-domain-confusables-block .adex-dc-card-title {\n      margin: 0;\n      font-size: 15px;\n      line-height: 1.25;\n      font-weight: 900;\n      color: #16006f;\n    }\n    .adex-domain-confusables-block .adex-dc-blind-badge {\n      margin-left: auto;\n      display: inline-flex;\n      align-items: center;\n      gap: 5px;\n      padding: 5px 9px;\n      border: 1px solid #ff5050;\n      border-radius: 7px;\n      background: #ffffff;\n      color: #ff5050;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 9px;\n      line-height: 1;\n      letter-spacing: 0.12em;\n      text-transform: uppercase;\n      font-weight: 900;\n      white-space: nowrap;\n    }\n    .adex-domain-confusables-block .adex-dc-text {\n      margin: 0 0 11px;\n      font-size: 13px;\n      line-height: 1.45;\n      color: #25204f;\n    }\n    .adex-domain-confusables-block .adex-dc-meta-row {\n      display: flex;\n      flex-wrap: wrap;\n      align-items: center;\n      gap: 7px;\n    }\n    .adex-domain-confusables-block .adex-dc-code {\n      display: inline-flex;\n      align-items: center;\n      padding: 4px 9px;\n      border: 1px dashed #c9d1ea;\n      border-radius: 6px;\n      background: #ffffff;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 11px;\n      line-height: 1;\n      font-weight: 900;\n      color: #16006f;\n    }\n    .adex-domain-confusables-block .adex-dc-status {\n      display: inline-flex;\n      align-items: center;\n      gap: 5px;\n      padding: 5px 9px;\n      border-radius: 999px;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 9px;\n      line-height: 1;\n      letter-spacing: 0.08em;\n      text-transform: uppercase;\n      font-weight: 900;\n      white-space: nowrap;\n    }\n    .adex-domain-confusables-block .adex-dc-status::before {\n      content: \"\";\n      width: 6px;\n      height: 6px;\n      border-radius: 50%;\n      display: inline-block;\n    }\n    .adex-domain-confusables-block .adex-dc-status-often {\n      background: #e2f8f1;\n      color: #009b83;\n    }\n    .adex-domain-confusables-block .adex-dc-status-often::before {\n      background: #00a77a;\n    }\n    .adex-domain-confusables-block .adex-dc-status-rarely {\n      background: #fff0df;\n      color: #c86d00;\n    }\n    .adex-domain-confusables-block .adex-dc-status-rarely::before {\n      background: #f28a00;\n    }\n    .adex-domain-confusables-block .adex-dc-status-never {\n      background: #ffe7e5;\n      color: #e53935;\n    }\n    .adex-domain-confusables-block .adex-dc-status-never::before {\n      background: #ff5050;\n    }\n    .adex-domain-confusables-block .adex-dc-legend {\n      display: flex;\n      flex-wrap: wrap;\n      align-items: center;\n      gap: 12px;\n      margin-top: 22px;\n      padding-top: 16px;\n      border-top: 1px dashed #dfe4f2;\n      color: #65698f;\n      font-size: 11px;\n      line-height: 1.3;\n    }\n    .adex-domain-confusables-block .adex-dc-legend-title {\n      margin: 0;\n      font-family: \"SF Mono\", \"JetBrains Mono\", Menlo, Consolas, monospace;\n      font-size: 10px;\n      line-height: 1.2;\n      letter-spacing: 0.18em;\n      text-transform: uppercase;\n      font-weight: 900;\n      color: #16006f;\n    }\n    .adex-domain-confusables-block .adex-dc-legend-item {\n      display: inline-flex;\n      align-items: center;\n      gap: 6px;\n    }\n    .adex-domain-confusables-block .adex-dc-legend-dot {\n      width: 9px;\n      height: 9px;\n      border-radius: 50%;\n      display: inline-block;\n    }\n    .adex-domain-confusables-block .adex-dc-dot-often {\n      background: #00a77a;\n    }\n    .adex-domain-confusables-block .adex-dc-dot-rarely {\n      background: #f28a00;\n    }\n    .adex-domain-confusables-block .adex-dc-dot-never {\n      background: #ff5050;\n    }\n    @media (max-width: 680px) {\n      .adex-domain-confusables-block {\n        padding: 22px 16px;\n      }\n      .adex-domain-confusables-block .adex-dc-title {\n        font-size: 19px;\n      }\n      .adex-domain-confusables-block .adex-dc-tree {\n        grid-template-columns: 1fr;\n        gap: 18px;\n      }\n      .adex-domain-confusables-block .adex-dc-hub {\n        position: relative;\n        top: auto;\n        min-height: auto;\n      }\n      .adex-domain-confusables-block .adex-dc-branches::before,\n      .adex-domain-confusables-block .adex-dc-card::before {\n        display: none;\n      }\n      .adex-domain-confusables-block .adex-dc-card-top {\n        flex-wrap: wrap;\n      }\n      .adex-domain-confusables-block .adex-dc-blind-badge {\n        margin-left: 0;\n      }\n    }\n    @media (max-width: 440px) {\n      .adex-domain-confusables-block {\n        padding: 18px 12px;\n      }\n      .adex-domain-confusables-block .adex-dc-title {\n        font-size: 17px;\n      }\n      .adex-domain-confusables-block .adex-dc-subtitle {\n        font-size: 12px;\n      }\n      .adex-domain-confusables-block .adex-dc-card {\n        padding: 14px;\n      }\n      .adex-domain-confusables-block .adex-dc-card-title {\n        font-size: 13px;\n      }\n      .adex-domain-confusables-block .adex-dc-text {\n        font-size: 12px;\n      }\n      .adex-domain-confusables-block .adex-dc-code {\n        font-size: 10px;\n      }\n    }\n  <\/style>\n  <div class=\"adex-dc-head\">\n    <h2 class=\"adex-dc-title\" id=\"categories-of-domain-confusables\">Categories of Domain Confusables<\/h2>\n    <p class=\"adex-dc-subtitle\">Five branches of look-alike risk \u2014 and two systemic blind spots most brand programs under-monitor.<\/p>\n  <\/div>\n  <div class=\"adex-dc-tree\">\n    <div class=\"adex-dc-hub-col\">\n      <div class=\"adex-dc-hub\">\n        <div class=\"adex-dc-hub-icon\" aria-hidden=\"true\">\n          <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\">\n            <circle cx=\"12\" cy=\"12\" r=\"9\" stroke=\"currentColor\" stroke-width=\"2\"\/>\n            <path d=\"M3 12H21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\"\/>\n            <path d=\"M12 3C14.4 5.4 15.5 8.4 15.5 12C15.5 15.6 14.4 18.6 12 21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\"\/>\n            <path d=\"M12 3C9.6 5.4 8.5 8.4 8.5 12C8.5 15.6 9.6 18.6 12 21\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\"\/>\n          <\/svg>\n        <\/div>\n        <p class=\"adex-dc-hub-title\">Confusable<br>Domains<\/p>\n        <p class=\"adex-dc-hub-label\">Root Node<\/p>\n      <\/div>\n    <\/div>\n    <div class=\"adex-dc-branches\">\n      <div class=\"adex-dc-card\">\n        <div class=\"adex-dc-card-top\">\n          <span class=\"adex-dc-num\">01<\/span>\n          <h3 class=\"adex-dc-card-title\" id=\"cross-script-idn-homographs\">Cross-script IDN homographs<\/h3>\n        <\/div>\n        <p class=\"adex-dc-text\">Latin \/ Cyrillic \/ Greek substitutions across writing systems.<\/p>\n        <div class=\"adex-dc-meta-row\">\n          <span class=\"adex-dc-code\">paypal.com \u00b7 Cyrillic &#8220;a&#8221;<\/span>\n          <span class=\"adex-dc-status adex-dc-status-often\">Caught \u00b7 Often<\/span>\n        <\/div>\n      <\/div>\n      <div class=\"adex-dc-card\">\n        <div class=\"adex-dc-card-top\">\n          <span class=\"adex-dc-num\">02<\/span>\n          <h3 class=\"adex-dc-card-title\" id=\"within-script-homoglyphs\">Within-script homoglyphs<\/h3>\n        <\/div>\n        <p class=\"adex-dc-text\">Same-alphabet look-alikes: l \/ 1 \/ I, rn \/ m, O \/ 0.<\/p>\n        <div class=\"adex-dc-meta-row\">\n          <span class=\"adex-dc-code\">example.com<\/span>\n          <span class=\"adex-dc-status adex-dc-status-never\">Caught \u00b7 Never<\/span>\n        <\/div>\n      <\/div>\n      <div class=\"adex-dc-card adex-dc-card-blind\">\n        <div class=\"adex-dc-card-top\">\n          <span class=\"adex-dc-num\">03<\/span>\n          <h3 class=\"adex-dc-card-title\" id=\"diacritic-accent-confusables\">Diacritic &amp; accent confusables<\/h3>\n          <span class=\"adex-dc-blind-badge\">\u25b3 Blind Spot<\/span>\n        <\/div>\n        <p class=\"adex-dc-text\">Marked letters: \u00e1 \/ a, \u00e7 \/ c, \u00f1 \/ n. Treated as legitimate within local language context.<\/p>\n        <div class=\"adex-dc-meta-row\">\n          <span class=\"adex-dc-code\">payp\u00e1l.com<\/span>\n          <span class=\"adex-dc-status adex-dc-status-rarely\">Caught \u00b7 Rarely<\/span>\n        <\/div>\n      <\/div>\n      <div class=\"adex-dc-card adex-dc-card-blind\">\n        <div class=\"adex-dc-card-top\">\n          <span class=\"adex-dc-num\">04<\/span>\n          <h3 class=\"adex-dc-card-title\" id=\"punycode-encoded-edge-cases\">Punycode &amp; encoded edge cases<\/h3>\n          <span class=\"adex-dc-blind-badge\">\u25b3 Blind Spot<\/span>\n        <\/div>\n        <p class=\"adex-dc-text\">Bidirectional text, zero-width characters, combining marks. Often slip past registrar abuse detection.<\/p>\n        <div class=\"adex-dc-meta-row\">\n          <span class=\"adex-dc-code\">xn--&#8230; \/ ZWJ injections<\/span>\n          <span class=\"adex-dc-status adex-dc-status-rarely\">Caught \u00b7 Inconsistently<\/span>\n        <\/div>\n      <\/div>\n      <div class=\"adex-dc-card\">\n        <div class=\"adex-dc-card-top\">\n          <span class=\"adex-dc-num\">05<\/span>\n          <h3 class=\"adex-dc-card-title\" id=\"typosquatting-overlap\">Typosquatting overlap<\/h3>\n        <\/div>\n        <p class=\"adex-dc-text\">Single-letter omissions, doublings, transpositions \u2014 frequently combined with confusables.<\/p>\n        <div class=\"adex-dc-meta-row\">\n          <span class=\"adex-dc-code\">propelerads.com<\/span>\n          <span class=\"adex-dc-status adex-dc-status-never\">Caught \u00b7 Never<\/span>\n        <\/div>\n      <\/div>\n    <\/div>\n  <\/div>\n  <div class=\"adex-dc-legend\">\n    <p class=\"adex-dc-legend-title\">Browser Detection:<\/p>\n    <span class=\"adex-dc-legend-item\"><span class=\"adex-dc-legend-dot adex-dc-dot-often\"><\/span>Often<\/span>\n    <span class=\"adex-dc-legend-item\"><span class=\"adex-dc-legend-dot adex-dc-dot-rarely\"><\/span>Rarely \/ Inconsistently<\/span>\n    <span class=\"adex-dc-legend-item\"><span class=\"adex-dc-legend-dot adex-dc-dot-never\"><\/span>Never<\/span>\n  <\/div>\n<\/div>\n\n\n\n<p>Diacritic and zero-width categories are where most programs leave gaps.&nbsp;<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>Diacritic substitutions (&#8220;\u00e1&#8221; for &#8220;a&#8221;, &#8220;\u00e7&#8221; for &#8220;c&#8221;) rarely trigger browser Punycode display because most browsers treat them as legitimate within their language context.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<p>Zero-width and combining characters render as nothing visible and can be inserted to create domains that are technically distinct but visually identical. These aren&#8217;t theoretical. They appear in security research regularly, and they aren&#8217;t uniformly caught by abuse-detection systems at registrars.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"a-defense-layer-comparison-that-actually-helps\">A Defense Layer Comparison That Actually Helps<\/h2>\n\n\n\n<p>Most defense advice for homograph attacks reads as a checklist of equally weighted measures. In production, the layers don&#8217;t contribute equally, and they fail in different ways. The table below is the breakdown that the ADEX Brand Protection team uses internally when scoping a program.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Defense layer<\/strong><\/td><td><strong>What it actually does<\/strong><\/td><td><strong>Where it works well<\/strong><\/td><td><strong>Where it fails<\/strong><\/td><\/tr><tr><td>Browser IDN display rules<\/td><td>Forces Punycode display when script-mixing or whitelist conditions trigger<\/td><td>Cross-script Latin\/Cyrillic spoofs in major TLDs<\/td><td>Single-script lookalikes, new TLDs, niche scripts, mobile and in-app browsers<\/td><\/tr><tr><td>Defensive registration<\/td><td>Pre-registers high-risk confusables and common typos<\/td><td>Closing the obvious attack surface for high-value brands<\/td><td>Combinatorial explosion across TLDs and scripts; cost grows non-linearly with brand portfolio size<\/td><\/tr><tr><td>Certificate Transparency monitoring<\/td><td>Surfaces newly issued TLS certs for confusable domains in near-real time<\/td><td>Early detection, often hours after registration<\/td><td>High false-positive volume; requires confusable-aware matching, not just substring matching<\/td><\/tr><tr><td>DMARC \/ SPF \/ DKIM enforcement<\/td><td>Prevents direct spoofing of the legitimate domain in email<\/td><td>The &#8220;From: yourbrand.com&#8221; attack<\/td><td>Does not stop email from a homograph domain \u2014 the attacker isn&#8217;t spoofing you, they&#8217;re impersonating you<\/td><\/tr><tr><td>Registry-level script-mixing policies<\/td><td>Some TLD operators (e.g., Verisign for <strong><em>.com <\/em><\/strong>IDN tables, some ccTLDs) restrict which scripts can be combined<\/td><td>Reduces the cross-script attack surface for protected TLDs<\/td><td>Coverage varies by registry; most gTLDs accept far more permissive registrations than ccTLDs<\/td><\/tr><tr><td>Registrar abuse reporting<\/td><td>Triggers takedown via the registrar&#8217;s policies<\/td><td>Clear-cut TOS violations with documented harm<\/td><td>Slow, inconsistent across registrars, often requires repeated escalation<\/td><\/tr><tr><td>UDRP \/ legal escalation<\/td><td>Forces the transfer of trademark-infringing domains<\/td><td>When trademark rights are clear, and bad-faith use is documented<\/td><td>Months-long process; weak protection while the proceeding runs; requires registered trademarks<\/td><\/tr><tr><td>Endpoint and email-gateway URL inspection<\/td><td>Catches confusable domains in user-facing channels<\/td><td>Phishing emails, internal click protection<\/td><td>Out-of-band channels (SMS, chat apps, social DMs); user-facing sites the gateway doesn&#8217;t see<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>No single layer closes the attack surface, and the layers have fundamentally different latency profiles. Defensive registration is slow and expensive but permanent.&nbsp;<\/p>\n\n\n\n<p>CT monitoring is fast but noisy. UDRP is decisive but trails the attack by weeks or months. A program that overweights any one of them ends up with a familiar failure pattern: the obvious typos are pre-registered, the email channel is locked down, and the actual incident comes through a confusable domain in a Telegram message to an affiliate manager.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"when-defensive-domain-registration-stops-making-sense\">When Defensive Domain Registration Stops Making Sense<\/h2>\n\n\n\n<p>There&#8217;s a point at which the standard advice (&#8220;register your common confusables&#8221;) becomes a budget sink that doesn&#8217;t improve security posture. For a brand with a five-character primary domain, the number of plausible homograph and homoglyph variations across major TLDs runs into the thousands. Registering them all is a procurement project, not a security strategy.<\/p>\n\n\n\n<p>A more defensible threshold: defensively register variants that are either (a) high-prevalence in user-typed traffic, visible in Search Console misspell data, or (b) flagged as confusable under Unicode TR39&#8217;s Single-Script Confusables set for the brand&#8217;s primary script, in the TLDs where the brand is commercially active. Everything beyond that is better served by detection \u2013 CT monitoring, branded-search alerts, abuse intake, than by pre-emptive ownership.<\/p>\n\n\n\n<p>This is unglamorous, but it&#8217;s the threshold most mature brand-protection programs converge on after one or two budget cycles of trying the maximalist approach.<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/triada-malvertising-case-study\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2025\/12\/adex-investigarion-triada-infected-campaigns.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2025\/12\/adex-investigarion-triada-infected-campaigns.png\" sizes=\"100vw\" alt=\"adex-investigation-triada-infected-campaigns\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"inside-the-triada-battle-a-five-year-investigation-and-the-security-upgrades-it-triggered\"><a href=\"https:\/\/adex.com\/blog\/triada-malvertising-case-study\/\">Inside the Triada Battle: A Five-Year Investigation and the Security Upgrades It Triggered<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-false-positive-problem-nobody-discusses\">The False Positive Problem Nobody Discusses<\/h2>\n\n\n\n<p>The trustworthiness side of any homograph-detection or domain-spoofing-detection system is bounded by its tolerance for false positives. Confusable matching is mathematically a fuzzy comparison. The more aggressive the match, the more legitimate domains get flagged: partner brands, regional variants, internationalized versions of the brand&#8217;s own properties.<\/p>\n\n\n\n<p>In our monitoring environments, naive confusable matching on a brand string produces double-digit daily alerts, and the majority are non-malicious: regional resellers, lookalike but unrelated business names, archived domains. Tightening the match reduces noise but starts to miss the cases that matter, particularly the diacritic and zero-width attacks where the visual distance is essentially zero, but the string distance is meaningful.<\/p>\n\n\n\n<p>The programs that hold up are the ones that accept this trade-off explicitly. They treat confusable detection as a triage signal, not a verdict, and they invest in the human review layer rather than chasing a higher-precision automated filter that doesn&#8217;t exist. The detection pipeline is a layer; the decision is still a person&#8217;s.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-to-do-differently-on-monday\">What to Do Differently on Monday<\/h2>\n\n\n\n<p>Three concrete actions that meaningfully change exposure, in order of effort-to-impact.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Instrument Certificate Transparency for your brand strings with confusable expansion.<\/strong> <br>Open-source CT log monitors are widely available; the value comes from feeding them a list that includes Punycode variants, diacritic forms, and within-script homoglyphs of your brand, not just the literal string. This is the single fastest way to compress the gap between a hostile registration and your awareness of it. A well-tuned pipeline gets you from &#8220;registration&#8221; to &#8220;alert in queue&#8221; in under six hours.<\/li>\n\n\n\n<li><strong>Audit the channels where your team and your partners actually receive URLs.<\/strong> <br>Email gateways are usually well-instrumented. Slack, Telegram, WhatsApp, LinkedIn, and SMS usually aren&#8217;t. The asymmetry between channel coverage and channel use is where most successful homograph and look-alike domain deliveries land. You don&#8217;t need full DLP on Telegram. You need a written rule that financial or credential-bearing changes never get acted on from a chat-app URL.<\/li>\n\n\n\n<li><strong>Make sure the trademark and the legal escalation path are in place before you need them.<\/strong> <br>The UDRP process assumes a registered trademark and documented bad-faith use. Assembling those after a campaign is already running costs weeks the brand can&#8217;t afford.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Across the cases we&#8217;ve worked, including <a href=\"https:\/\/adex.com\/blog\/typosquatting-case\/\" target=\"_blank\" rel=\"noreferrer noopener\">the typosquatting-to-UDRP matter referenced earlier<\/a>, the speed of resolution correlates almost entirely with the quality of the documentation accumulated before escalation, not with the merits of the case itself.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-underlying-point\">The Underlying Point<\/h2>\n\n\n\n<p>Homograph attacks persist not because they&#8217;re technically sophisticated. They aren&#8217;t. They persist because they exploit a layer of the system: the visual rendering of identifiers that was never designed to be a trust boundary, and that the rest of the security stack tacitly assumes is one. Every defense above is intended to compensate for an assumption that shouldn&#8217;t be made: that the user can verify a domain by looking at it.<\/p>\n\n\n\n<p>Drop that assumption, and the work becomes operational.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can measure the latency between a hostile registration and your detection of it.&nbsp;<\/li>\n\n\n\n<li>You can measure your takedown time.&nbsp;<\/li>\n\n\n\n<li>You can list which channels are instrumented and which aren&#8217;t.&nbsp;<\/li>\n\n\n\n<li>You can name which scripts and confusable categories are in your monitoring set.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>Most brand-protection programs aren&#8217;t structured around those measurements, which is why this attack class continues to work 15 years after the underlying mechanism was first publicly described.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"faq\">FAQ<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"is-a-homograph-attack-the-same-as-typosquatting\">Is a homograph attack the same as typosquatting?<\/h3>\n\n\n\n<p>No. Typosquatting relies on plausible misspellings of a legitimate domain (<strong><em>gooogle.com<\/em><\/strong>). A homograph attack uses visually identical characters from different scripts or character sets to register a domain that looks identical to the original. The two are often combined in the same campaign, but the defenses differ \u2013 typosquatting can be partly addressed by defensive registration, while homograph requires confusable-aware monitoring.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"does-chrome-block-homograph-attacks\">Does Chrome block homograph attacks?<\/h3>\n\n\n\n<p>Partially. Chrome applies a layered set of IDN display rules that force Punycode rendering when scripts are mixed or when the domain doesn&#8217;t meet whitelist conditions. These rules catch the obvious cross-script cases. They don&#8217;t catch single-script lookalikes (e.g., a fully Cyrillic spoof), zero-width character attacks, or many diacritic substitutions. Mobile and in-app browsers are weaker still.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"what-is-punycode-and-why-does-it-matter-for-fake-url-attacks\">What is Punycode, and why does it matter for fake URL attacks?<\/h3>\n\n\n\n<p>Punycode is the ASCII encoding used to represent Unicode characters in DNS, since DNS itself only allows ASCII. A Cyrillic-spoofed p\u0430ypal.com is internally xn--pypal-4ve.com. When browsers render Punycode, the spoof is obvious. When they render the Unicode form, it&#8217;s invisible. Whether the browser shows one or the other depends on its IDN display algorithm.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"how-do-i-detect-homograph-and-look-alike-domains-targeting-my-brand\">How do I detect homograph and look-alike domains targeting my brand?<\/h3>\n\n\n\n<p>Three layers in combination: Certificate Transparency log monitoring with confusable-expanded brand strings; branded-search alerting for &#8220;scam,&#8221; &#8220;fraud,&#8221; &#8220;review,&#8221; and similar modifiers; and inbound abuse intake from partners, customers, and your own employees. Pure WHOIS monitoring is too slow on its own.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"are-diacritic-domains-p%d0%b0ypal-com-considered-homograph-attacks\">Are diacritic domains (<em>p\u0430yp\u00e1l.com<\/em>) considered homograph attacks?<\/h3>\n\n\n\n<p>They sit on the boundary. Most browser IDN rules treat them as legitimate within a language context, so they often render in Unicode without warning. Operationally, they should be in your monitoring set, because they&#8217;re under-defended by browser logic and registrar abuse policies alike.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"how-long-does-a-udrp-proceeding-take-to-transfer-a-homograph-domain\">How long does a UDRP proceeding take to transfer a homograph domain?<\/h3>\n\n\n\n<p>Roughly two to three months from filing to decision in standard cases, assuming a registered trademark and clear bad-faith evidence. The 2025 ADEX case referenced above ran approximately two months from complaint to transfer order. Speed correlates more with documentation quality than with case complexity.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What if the padlock isn\u2019t enough? Learn how a homograph attack makes fake URLs look real, why mobile makes them harder to spot, and how smarter monitoring closes the gap.<\/p>\n","protected":false},"author":4,"featured_media":5628,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[18,16],"class_list":["post-5621","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-guides","tag-fraud","tag-threat"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Homograph Attack: How Fake URLs Impersonate Brands<\/title>\n<meta name=\"description\" content=\"Homograph attack risks make fake URLs look real. Learn how look-alike domains, Punycode, and browser gaps expose brands to fraud.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Homograph Attack: How Fake URLs Impersonate Brands\" \/>\n<meta property=\"og:description\" content=\"Homograph attack risks make fake URLs look real. Learn how look-alike domains, Punycode, and browser gaps expose brands to fraud.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/\" \/>\n<meta property=\"og:site_name\" content=\"ADEX\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/adexsaas\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-21T14:35:13+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-21T14:35:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Homograph-Attack-URL-Impersonation.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kira Vessiari\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@adexsaas\" \/>\n<meta name=\"twitter:site\" content=\"@adexsaas\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kira Vessiari\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/homograph-attack-fake-urls\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/homograph-attack-fake-urls\\\/\"},\"author\":{\"name\":\"Kira Vessiari\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/person\\\/2bf2469195f0e5bffe2e1d5b2ef12b61\"},\"headline\":\"Homograph Attacks: When URLs Look Identical but Aren&#8217;t\",\"datePublished\":\"2026-05-21T14:35:13+00:00\",\"dateModified\":\"2026-05-21T14:35:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/homograph-attack-fake-urls\\\/\"},\"wordCount\":3241,\"publisher\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/homograph-attack-fake-urls\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Adex-Homograph-Attack-URL-Impersonation.png\",\"keywords\":[\"Fraud\",\"Threat\"],\"articleSection\":[\"Guides\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/homograph-attack-fake-urls\\\/\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/homograph-attack-fake-urls\\\/\",\"name\":\"Homograph Attack: How Fake URLs Impersonate Brands\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/homograph-attack-fake-urls\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/homograph-attack-fake-urls\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Adex-Homograph-Attack-URL-Impersonation.png\",\"datePublished\":\"2026-05-21T14:35:13+00:00\",\"dateModified\":\"2026-05-21T14:35:14+00:00\",\"description\":\"Homograph attack risks make fake URLs look real. Learn how look-alike domains, Punycode, and browser gaps expose brands to fraud.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/homograph-attack-fake-urls\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/adex.com\\\/blog\\\/homograph-attack-fake-urls\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/homograph-attack-fake-urls\\\/#primaryimage\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Adex-Homograph-Attack-URL-Impersonation.png\",\"contentUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Adex-Homograph-Attack-URL-Impersonation.png\",\"width\":1200,\"height\":628,\"caption\":\"Adex - guide to homograph attack risks, where look-alike URLs can impersonate trusted domains.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/homograph-attack-fake-urls\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/adex.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Homograph Attacks: When URLs Look Identical but Aren&#8217;t\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/\",\"name\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\"},\"alternateName\":\"ADEX\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/adex.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\",\"name\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/CDD2258_copy-48-1.svg\",\"contentUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/CDD2258_copy-48-1.svg\",\"width\":148,\"height\":30,\"caption\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/adexsaas\\\/\",\"https:\\\/\\\/x.com\\\/adexsaas\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/person\\\/2bf2469195f0e5bffe2e1d5b2ef12b61\",\"name\":\"Kira Vessiari\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g\",\"caption\":\"Kira Vessiari\"},\"sameAs\":[\"https:\\\/\\\/adex.com\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/kiravessiari\\\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Homograph Attack: How Fake URLs Impersonate Brands","description":"Homograph attack risks make fake URLs look real. Learn how look-alike domains, Punycode, and browser gaps expose brands to fraud.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/","og_locale":"en_US","og_type":"article","og_title":"Homograph Attack: How Fake URLs Impersonate Brands","og_description":"Homograph attack risks make fake URLs look real. Learn how look-alike domains, Punycode, and browser gaps expose brands to fraud.","og_url":"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/","og_site_name":"ADEX","article_publisher":"https:\/\/www.facebook.com\/adexsaas\/","article_published_time":"2026-05-21T14:35:13+00:00","article_modified_time":"2026-05-21T14:35:14+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Homograph-Attack-URL-Impersonation.png","type":"image\/png"}],"author":"Kira Vessiari","twitter_card":"summary_large_image","twitter_creator":"@adexsaas","twitter_site":"@adexsaas","twitter_misc":{"Written by":"Kira Vessiari","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/#article","isPartOf":{"@id":"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/"},"author":{"name":"Kira Vessiari","@id":"https:\/\/adex.com\/blog\/#\/schema\/person\/2bf2469195f0e5bffe2e1d5b2ef12b61"},"headline":"Homograph Attacks: When URLs Look Identical but Aren&#8217;t","datePublished":"2026-05-21T14:35:13+00:00","dateModified":"2026-05-21T14:35:14+00:00","mainEntityOfPage":{"@id":"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/"},"wordCount":3241,"publisher":{"@id":"https:\/\/adex.com\/blog\/#organization"},"image":{"@id":"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/#primaryimage"},"thumbnailUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Homograph-Attack-URL-Impersonation.png","keywords":["Fraud","Threat"],"articleSection":["Guides"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/","url":"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/","name":"Homograph Attack: How Fake URLs Impersonate Brands","isPartOf":{"@id":"https:\/\/adex.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/#primaryimage"},"image":{"@id":"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/#primaryimage"},"thumbnailUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Homograph-Attack-URL-Impersonation.png","datePublished":"2026-05-21T14:35:13+00:00","dateModified":"2026-05-21T14:35:14+00:00","description":"Homograph attack risks make fake URLs look real. Learn how look-alike domains, Punycode, and browser gaps expose brands to fraud.","breadcrumb":{"@id":"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/#primaryimage","url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Homograph-Attack-URL-Impersonation.png","contentUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/05\/Adex-Homograph-Attack-URL-Impersonation.png","width":1200,"height":628,"caption":"Adex - guide to homograph attack risks, where look-alike URLs can impersonate trusted domains."},{"@type":"BreadcrumbList","@id":"https:\/\/adex.com\/blog\/homograph-attack-fake-urls\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/adex.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Homograph Attacks: When URLs Look Identical but Aren&#8217;t"}]},{"@type":"WebSite","@id":"https:\/\/adex.com\/blog\/#website","url":"https:\/\/adex.com\/blog\/","name":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform","description":"","publisher":{"@id":"https:\/\/adex.com\/blog\/#organization"},"alternateName":"ADEX","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/adex.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/adex.com\/blog\/#organization","name":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform","url":"https:\/\/adex.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/adex.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/05\/CDD2258_copy-48-1.svg","contentUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/05\/CDD2258_copy-48-1.svg","width":148,"height":30,"caption":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform"},"image":{"@id":"https:\/\/adex.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/adexsaas\/","https:\/\/x.com\/adexsaas"]},{"@type":"Person","@id":"https:\/\/adex.com\/blog\/#\/schema\/person\/2bf2469195f0e5bffe2e1d5b2ef12b61","name":"Kira Vessiari","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g","caption":"Kira Vessiari"},"sameAs":["https:\/\/adex.com","https:\/\/www.linkedin.com\/in\/kiravessiari\/"]}]}},"_links":{"self":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5621","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/comments?post=5621"}],"version-history":[{"count":15,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5621\/revisions"}],"predecessor-version":[{"id":5657,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5621\/revisions\/5657"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/media\/5628"}],"wp:attachment":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/media?parent=5621"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/categories?post=5621"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/tags?post=5621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}