Threat actors are leveraging a Unicode character to make phishing links appear like legitimate Booking.com links in a new campaign distributing malware.
The attack makes use of the Japanese hiragana character, ん, which can, on some systems, appear as a forward slash and make a phishing URL appear realistic to a person at a casual glance.
BleepingComputer has further come across an Intuit phishing campaign using a lookalike domain using the letter L instead of 'i' in Intuit.
Booking.com phishing links using Japanese homoglyphs
The attack, first spotted by security researcher JAMESWT, abuses the Japanese hiragana character “ん” (Unicode U+3093), which closely resembles the Latin letter sequence '/n' or '/~', at a quick glance in some fonts. This visual similarity enables scammers to create URLs that appear to belong to the genuine Booking.com domain, but direct users to a malicious site.
Below is a copy of the phishing email shared by the security researcher:
Copy of phishing email shared by security researcher JamesWT
The text in the email, https://admin.booking.com/hotel/hoteladmin/... itself is deceptive. While it may look like a Booking.com address, the hyperlink points to:
https://account.booking.comんdetailんrestric-access.www-account-booking.com/en/
Phishing page as it appears in a web browser
... continue reading