Can you tell the difference between these two pieces of text: binance.com and binаnce.com? The а in the latter is a Cyrillic letter, almost completely identical to the Latin letter a. This is a homograph attack—one of the hardest visual deceptions to defend against. This article teaches you how to identify and prevent it. First, always enter through the verified Binance website, download the mobile Binance official app, or check the iOS install guide if you haven't installed the iOS app.
1. How Homograph Attacks Work
Internationalized Domain Names (IDNs) allow domains to contain non-ASCII characters. The original intent was to let Chinese, Japanese, or Russian users register domains in their native languages. The problem is: many characters look visually identical to English letters but are entirely different characters in encoding.
At the domain level, browsers convert these characters into Punycode:
binаnce.com(containing the Cyrillic а) is actuallyxn--binnce-b8a.comgoogĺe.com(with an accented ĺ) is actuallyxn--googe-x9a.com
By default, browsers display the Unicode format, so users still see binаnce.com, looking exactly like binance.com.
2. Most Commonly Replaced Latin Letters
The table below shows the most common replacements used in homograph attacks:
| Original Character | Visually Similar Character | Character Set |
|---|---|---|
| a | а / α | Cyrillic / Greek |
| e | е / ё | Cyrillic |
| o | о / ο / 0 | Cyrillic / Greek / Number |
| i | і / ί / l / 1 | Cyrillic / Greek / Latin L / Number 1 |
| c | с / ϲ | Cyrillic / Greek |
| p | р / ρ | Cyrillic / Greek |
| n | η / n | Greek / Full-width |
| b | Ь / b | Cyrillic / Full-width |
Every single letter in the Binance domain b/i/n/a/n/c/e could potentially be replaced. The resulting combinations generate an astonishing number of phishing variants.
3. Three Methods to Spot Homograph Attacks
Method A: Enable Punycode Display in Your Browser
Firefox is the most reliable. Type about:config in the address bar, search for network.IDN_show_punycode, and set it to true. Once enabled, all non-ASCII domains will display in the xn-- format, making anomalies instantly visible.
Chrome lacks a native setting, but it will automatically display Punycode when a domain contains a mix of Latin and non-Latin characters. However, "pure Cyrillic domains" using exclusively non-Latin characters will display normally, requiring extensions for assistance.
Method B: Copy and Paste into a Text Editor
Copy the URL from the address bar and paste it into Notepad or a code editor (VS Code is recommended) to view it in a different font. Monospaced fonts in VS Code will reveal slight differences between а and a. Alternatively, use a hex viewer plugin where the Unicode code point of each character is obvious.
Method C: Naked Eye Inspection
Hover over the domain and carefully inspect each letter:
- Is the circle of 'a' standard?
- Is the horizontal line of 'e' placed correctly?
- Is the 'o' a perfect circle?
- Is the dot on the 'i' exactly in the middle?
If any letter looks even slightly off, be on high alert.
4. Additional Browser Hardening
Chrome Extensions
- EnGuard (PhishFort): Automatically detects and warns against homograph attacks.
- Punycode Alert: Inserts a Punycode prompt in the address bar.
System Level
- Blackhole known phishing variants in your hosts file:
0.0.0.0 xn--binnce-b8a.com - Subscribe to anti-phishing blacklists using home DNS gateways like Pi-hole.
Password Managers
1Password and Bitwarden only pop up autofill suggestions when the domain matches exactly. If you open a homograph domain, the password manager will not respond—this serves as a natural "detection alarm."
5. Mobile Specifics
Mobile address bars are short and characters appear smaller, making homographs much harder to detect. Recommendations:
- Use the APP exclusively; avoid entering domains in the browser.
- Enable "Show full URL" in browser settings.
- Long-press received links to preview the target URL instead of tapping directly.
In iOS Safari, long-pressing a link brings up a preview showing the full URL; Chrome on Android offers a similar preview on long-press.
6. What to do if you have visited a homograph domain
Follow this response order:
- Take a screenshot of the address bar immediately and copy the full URL for your records.
- Close the page and clear your browser cookies for that domain.
- Check if you entered any information on that page—if so, initiate the stolen account emergency response.
- Open binance.com in a clean browser and check your account status.
- Report the malicious URL through Binance's official support channels.
FAQ
Q1: Why do browsers display Unicode instead of Punycode by default? For the convenience of non-English speaking users. If domains for Russian users always displayed as xn--xxxx, the experience would be terrible. Thus, Unicode is shown by default, but mixed strings are automatically converted to Punycode.
Q2: Will enabling forced Punycode in Firefox affect non-English websites? Normal English websites remain completely unaffected. Domains in Chinese, Russian, etc., will display in the xn-- format. If you don't visit these domains, there is no impact whatsoever.
Q3: Can HTTPS certificates detect homograph attacks? Yes. The Subject field in a certificate contains the actual encoded string, which will differ from what the naked eye sees. Inspecting the certificate details can easily expose the fraud.
Q4: Can I be targeted by homograph attacks within the APP? The APP does not rely on domain input; all connections go through hardcoded API endpoints. Homograph attacks are fundamentally ineffective against APP users.