Cybercriminals Use Unicode Character to Deceive Users
A new phishing campaign has been uncovered that targets Booking.com users by exploiting a Unicode character to disguise malicious links as legitimate ones. Threat actors are leveraging the Japanese hiragana character “ん” (Unicode U+3093), which in some fonts resembles a forward slash. This small detail allows attackers to craft URLs that look authentic at first glance but instead redirect victims to malicious websites.
How the Scam Works
The phishing emails mimic Booking.com communication, displaying what appears to be an official login link. However, instead of leading to the real Booking.com domain, the deceptive link contains the hiragana character “ん.” For instance, the fraudulent address https://account.booking.comんdetailんrestric-access.www-account-booking.com/en/ tricks users into believing they are navigating within Booking.com. In reality, the true domain is www-account-booking[.]com, a fake lookalike designed to distribute malware.
Once victims click through, they are redirected to a page that delivers a malicious MSI installer from a content delivery network. This file is capable of dropping additional malware such as infostealers or remote access trojans, putting personal data, financial information, and system security at serious risk.
The Bigger Picture: Homoglyph Attacks
This phishing method relies on homoglyph attacks, where characters from different alphabets resemble each other visually but are technically distinct. Cybercriminals have long used homoglyphs to deceive users into trusting fake URLs or brands. For example, the Cyrillic letter “О” looks nearly identical to the Latin letter “O,” enabling attackers to impersonate domains with subtle but dangerous differences.
Previous Booking.com Phishing Campaigns
This is not the first time Booking.com has been in the spotlight for phishing threats. Earlier this year, Microsoft highlighted a ClickFix social engineering campaign targeting hospitality staff with Booking.com-themed malware. In 2023, Akamai researchers revealed how hotel guests were redirected to fake Booking.com websites designed to steal credit card details. These incidents underscore how attackers frequently exploit the platform’s popularity to maximize success.
Intuit Also Targeted
Alongside Booking.com, researchers also observed Intuit-themed phishing attacks. Criminals used a deceptive domain beginning with “Lntuit” instead of “Intuit,” banking on the similarity of lowercase “L” and “i” in certain fonts. These phishing emails often led to fake verification pages, redirecting mobile users who were less likely to scrutinize the domain. Interestingly, if the fraudulent link is accessed outside of the phishing email, it redirects to the legitimate Intuit login page—another layer of deception designed to avoid detection.
How to Protect Yourself
To stay safe, experts recommend a few simple but effective precautions:
- Hover over links before clicking to verify the true destination.
- Check the actual domain name, focusing on the rightmost end before the first single slash.
- Keep endpoint security software updated to block malware dropped through phishing kits.
- Be cautious on mobile devices, where deceptive domains are harder to spot.
Conclusion
The use of Unicode characters like “ん” in phishing attacks shows how cybercriminals are evolving their tactics to bypass casual scrutiny. As phishing grows more sophisticated, users must remain vigilant, security tools must adapt, and organizations like Booking.com and Intuit must continue to enhance protective measures. Awareness and attention to detail remain the most powerful defense against these deceptive threats.
