URL Character Confusion: Lookalikes

TL;DR

Yes, some characters *look* identical in a browser’s address bar but are actually different Unicode characters. This can lead to security issues (phishing) or unexpected behaviour. We’ll show you how to spot them and what to do.

Solution Guide: Identifying & Handling URL Lookalikes

1. Understanding the Problem
   • Different Unicode characters can render visually the same in many fonts used by browsers.
   • For example, a standard ‘a’ (U+0061) looks identical to a Cyrillic ‘а’ (U+0430).
   • This is especially common with letters from different alphabets.
2. Common Lookalike Pairs
   • Latin vs. Cyrillic: ‘a’ (U+0061) and ‘а’ (U+0430); ‘e’ (U+0065) and ‘е’ (U+0435); ‘o’ (U+006F) and ‘о’ (U+043E); ‘p’ (U+0070) and ‘р’ (U+0440); ‘c’ (U+0063) and ‘с’ (U+0441).
   • Latin vs. Greek: ‘ο’ (Greek small letter omicron, U+03BF) looks like ‘o’ (U+006F).
   • Numbers & Similar Shapes: ‘0’ (U+0030) and ‘O’ (U+004F); ‘1’ (U+0031) and ‘l’ (U+006C) or ‘I’ (U+0049).
3. How to Spot Them
   • Hover over Links: Before clicking, carefully check the URL displayed in your browser’s status bar. This shows the *actual* characters used.
   • URL Inspection Tools: Use online tools that decode Unicode characters in URLs. Search for “Unicode URL decoder”.
   • Copy & Paste: Copy the suspicious URL and paste it into a text editor. Examine the character codes directly (some editors show these).
4. Using Python to Detect Lookalikes (Technical)

   You can use Python to identify potential lookalike characters.

   import unicodedata
   
   def find_lookalikes(url):
     suspicious_pairs = [('a', 'а'), ('e', 'е'), ('o', 'о'), ('p', 'р'), ('c', 'с')]
     for char1, char2 in suspicious_pairs:
       if char1 in url and char2 in url:
         print(f"Potential lookalike characters found: {char1} and {char2}")
   
   # Example usage
   url = "http://example.com/аbс"
   find_lookalikes(url)
   

   This is a basic example; you’d need to expand the suspicious_pairs list for more comprehensive detection.

5. Preventative Measures
   • Be Wary of Shortened URLs: Use URL expansion services before clicking.
   • Type URLs Directly: Avoid copying and pasting URLs from untrusted sources whenever possible.
   • Check Domain Names Carefully: Look for subtle misspellings or character replacements in domain names (e.g., ‘rn’ instead of ‘m’).
   • Cyber security Awareness Training: Educate yourself and others about phishing techniques and URL manipulation.
6. Browser Security Features
   • Most modern browsers have built-in phishing protection that can detect some malicious URLs, but they aren’t foolproof.
   • Keep your browser updated to benefit from the latest security enhancements.