So-called homographic characters — letters that look the same to the eye but are read differently by machines — are a known problem in phishing attacks. A new study from Farsight Security quantifies the problem.

The details: Farsight looked at 466 of the top 500 websites. It found 8,000 unique, reachable domains that used such character substitution to masquerade as better-known brands’ websites.

The problem: The problem is that this shouldn’t be a problem. ICANN, which governs which companies can sell domains, contractually bans those companies from selling domains that mix two languages. But the organization doesn’t enforce the rule.

Paul Vixie, founder of Farsight, said it may now be too late for ICANN to start.

• It’s tough to convince the internet zealots who vote on such proposals for enforcement to abandon the internet’s libertarian ideal. “If they proposed it, people in ICANN meetings would be setting their hair on fire and doing battle with swords,” said Vixie.
• It’s also tough to convince firms that already have sold the domains to return the money and take back the name.

Where does that leave us? Vixie suggests multiple layers of response. Just as Google runs a service sifting out websites that spew malware, someone could offer a service that sifts out websites confusable with common brand names. And security firms could better protect clients by filtering out likely problems as well.