BiDi Swap: New Phishing Trick Exploits Unicode to Forge Web Addresses

In a recent report, researchers from Varonis Threat Labs reminded the cybersecurity community of a deceptive technique used by phishers to disguise malicious links as legitimate ones. This method, based on how browsers render bidirectional text—that is, text read from both left to right and right to left—has now been formally named “BiDi Swap,” a term reflecting both its underlying mechanism and its dependence on the bidirectional text processing behavior of modern browsers.

At the heart of the attack lies a manipulation of Unicode rendering algorithms, which handle scripts that differ in writing direction. Languages such as English and Spanish use left-to-right (LTR) formatting, while Arabic and Hebrew follow right-to-left (RTL) conventions. When a URL contains characters from both systems, browsers invoke the Bidi algorithm to render the string correctly. However, this process is not always reliable, particularly in handling subdomains and query parameters. Attackers exploit this inconsistency: under certain structural conditions, a browser may display an address entirely differently from how it is actually constructed, enabling subtle and highly effective deception.

Such tricks are not new. In the past, homograph attacks leveraging Punycode achieved similar goals, substituting visually identical Cyrillic or Greek characters for Latin ones to create counterfeit domains like “аpple.com” (with a Cyrillic “а”) or “рayрal.com.” Another classic technique, RTL override, involved embedding special Unicode symbols (such as U+202E) that reverse text direction, allowing attackers to conceal true file extensions or evade content filters.

BiDi Swap builds on the same weaknesses in Unicode handling but applies them in a more intricate way. A threat actor crafts a URL combining Arabic or Hebrew domain components with misleading Latin fragments — for example, “https://varonis.com.ו.קום/.” At first glance, the link appears to lead to varonis.com, yet the actual domain is “ו.קום”, with everything preceding it serving merely as a visual decoy. Additional elements such as port numbers or extraneous punctuation can further distort how the address is displayed, deepening the illusion.

Despite the longevity of such threats, most major browsers still lack comprehensive safeguards. In Google Chrome, even with its navigation warning feature for look-alike domains, detection remains inconsistent. Mozilla Firefox adopts a different approach, emphasizing the core domain within the address bar to make forgeries easier to spot. Microsoft Edge developers have declared the issue resolved, though in practice its rendering behavior remains unchanged. Ironically, the only browser observed to display these URLs correctly was Arc, which is no longer maintained.

Researchers advise users to exercise heightened caution when encountering links that mix writing directions or exhibit unusual character arrangements. Hovering over suspicious URLs, verifying SSL certificates, and scrutinizing domain structures can help expose deception early. For browser developers, enhancing domain highlighting and expanding spoof-detection algorithms will be essential. Such improvements could prove decisive in preventing users from unwittingly visiting malicious sites before any damage occurs.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy