Threat actors have launched a sophisticated phishing campaign targeting Booking.com users by exploiting the Japanese hiragana character “ん” to create URLs that appear legitimate at first glance but redirect victims to malicious websites distributing malware. Security researcher JAMESWT first identified this attack, which leverages the visual similarity between the Unicode character U+3093 and the Latin character sequence ‘/n’ or ‘/~’ in certain fonts, enabling scammers to construct deceptive URLs that seemingly belong to the genuine Booking.com domain while actually directing users to malicious lookalike sites.
The attack demonstrates a clever abuse of homoglyphs, where visually similar characters from different alphabets are used to deceive users during quick visual inspections of URLs. The phishing emails display what appears to be a legitimate Booking.com administrative link, but the actual hyperlink contains the deceptive Unicode character in a URL structure like “account[dot]booking[dot]comんdetailんrestric-access.www-account-booking.com/” where the real registered domain is the malicious “www-account-booking.com” rather than the legitimate Booking.com. Victims who click through these deceptive links are eventually redirected to malicious sites that deliver MSI installers containing infostealers or remote access trojans.
This campaign represents the latest evolution in Unicode-based phishing tactics, with cybercriminals continuing to find creative ways to abuse typography for social engineering purposes. BleepingComputer also identified a separate but related phishing campaign targeting Intuit users, where attackers use domains beginning with “Lntuit” that can resemble “intuit” in certain fonts, particularly in lowercase formatting on mobile devices where users are less likely to scrutinise URLs carefully. These incidents highlight the ongoing challenge of visual URL inspection as a security measure, as attackers leverage increasingly sophisticated character substitution techniques that can fool even careful users, emphasising the importance of hovering over links to reveal true destinations and maintaining updated endpoint security software to defend against malware delivery following successful phishing attempts.