A homograph attack registers a domain that looks like a real one but uses Unicode characters from another script — Cyrillic а, Greek ο, or Armenian օ — that render identically to Latin letters. DNS actually stores these as ASCII via Punycode (xn--). Copy the suspicious domain into Zro7 WHOIS Lookup — the real Punycode form is what the registry returns.
How Punycode works
DNS is ASCII-only. Internationalized Domain Names (IDN) encode Unicode into ASCII using Punycode. café.com becomes xn--caf-dma.com. Browsers reverse this in the address bar so users see the pretty form. Registrars can enforce a single-script policy per label, but many TLDs (including some ccTLDs) don't.
Classic homograph examples
аpple.com— first letter is Cyrillic U+0430, not Latin U+0061. Punycode:xn--pple-43d.com.gοοgle.com— the two 'o's are Greek omicron U+03BF. Punycode:xn--ggle-55da.com.раураl.com— five Cyrillic letters. Punycode:xn--80ak6aa92e.com.
How modern browsers defend
Chrome, Firefox, and Safari now show the Punycode form when a label mixes scripts, or when the whole label is in a script the user's locale doesn't use. This helps, but not always: a fully Cyrillic раураl.com passes some checks because there's no mixing. Never trust the visual.
How to verify a suspicious link
- Right-click → Copy Link, paste into a plain-text editor. If it starts with
xn--, it's an IDN. - Run it through WHOIS Lookup — creation date under 30 days for a 'major brand' is a giant red flag.
- Check DNS records — homograph domains usually resolve to cheap hosting, not the brand's real ASN.
- Look at the DNSSEC status — major brands sign their zones; hastily registered phishing rarely does.
Steps to check any domain
- Copy the raw URL.
- Paste into WHOIS. Note the registrant, creation date, and Punycode form.
- Run DNS Lookup; verify A/MX point where the real brand's records point.
- If anything looks off, don't click. Report to the brand's abuse address.
Zro7