A Case of Identity: Detection of Suspicious IDN Homograph Domains Using Active DNS Measurements

The possibility to include Unicode characters in domain names allows users to deal with domains in their regional languages. This is done by introducing Internationalized Domain Names (IDN). However, the visual similarity between different Unicode characters - called homoglyphs - is a potential security threat, as visually similar domain names are often used in phishing attacks. Timely detection of suspicious homograph domain names is an important step towards preventing sophisticated attacks, since this can prevent unaware users to access those homograph domains that actually carry malicious content. We therefore propose a structured approach to identify suspicious homograph domain names based not on use, but on characteristics of the domain name itself and its associated DNS records. To achieve this, we leverage the OpenINTEL active DNS measurement platform, which performs a daily snapshot of more than 65% of the DNS namespace. In this paper, we first extend the existing Unicode homoglyph tables (confusion tables). This allows us to detect on average 2.97 times homograph domains compared to existing tables. Our proactive detection of suspicious IDN homograph domains provides an early alert that would help both domain owners as well as security researchers in preventing IDN homograph abuse.