A newly discovered phishing campaign is leveraging a Unicode homoglyph trick to impersonate Booking.com and distribute malicious MSI installers capable of delivering infostealers or remote access trojans (RATs).
This attack, spotted by security researcher JamesWT, exploits the Japanese hiragana character “ん” (U+3093), which can visually resemble a forward slash (“/”) or “/n” in certain fonts, especially on smaller screens or mobile devices.
The campaign’s sophistication lies in its combination of typography abuse, social engineering, and direct malware delivery, bypassing the user’s usual domain inspection habits.
Technical Breakdown
Homoglyph Attack Mechanics
- Example deceptive link in phishing email: bashCopyEdit
https://account.booking.comんdetailんrestric-access.www-account-booking.com/en/ - The legitimate-looking portion (
account.booking.com) is not the real domain — everything before the real domain is crafted to look like part of Booking.com’s URL path. - The actual registered domain is: cssCopyEdit
www-account-booking[.]com - Attackers use subdomain stuffing with homoglyphs to simulate directory navigation inside Booking.com.
Visual Example — User View vs. Actual Domain:
| What User Sees | Actual Domain Ownership |
|---|---|
booking.comんdetailんrestric-access.www-account-booking.com | www-account-booking[.]com |
Malware Delivery
When a victim clicks the link:
- They are redirected to: bashCopyEdit
www-account-booking[.]com/c.php?a=0 - That page forces a download of: bashCopyEdit
https://updatessoftware.b-cdn[.]net/john/pr/04.08/IYTDTGTF.msi - The MSI file is an initial stage malware dropper.
- Analysis from MalwareBazaar and any.run indicates that it likely installs:
- Information stealers (browser data, saved credentials, crypto wallets)
- RATs (Remote Access Trojans) for persistent access
Sample Infection Chain:
Phishing Email → Fake Booking.com Link (with ん) → Redirect to Lookalike Domain → Download Malicious MSI → Install Infostealer/RAT
Related Campaigns – “Lntuit” Phishing
BleepingComputer also identified a parallel campaign targeting Intuit users:
- Attackers replace the lowercase “i” with an uppercase “L” in the domain: CopyEdit
Lntuit.com - On certain fonts, “Lntuit” can be indistinguishable from “Intuit”.
- These phishing emails:
- Are optimized for mobile viewing (narrow layout)
- Direct users to fake login pages or malicious links
- Redirect back to legitimate Intuit login if accessed out-of-context, to reduce suspicion
How This Technique Works — Homoglyph Exploitation
A homoglyph is a character from one alphabet that visually resembles a character from another alphabet but has a different Unicode value.
Examples:
- Japanese “ん” (U+3093) looks like Latin “/n” in some fonts.
- Cyrillic “о” (U+043E) is indistinguishable from Latin “o” (U+006F) in many fonts.
Technical Example — URL Parsing
A legitimate Booking.com link:
https://account.booking.com/detail/reservation
An attacker’s homoglyph-based link:
https://account.booking.comんdetailんsecure-access.www-booking-secure[.]com
The browser correctly resolves the registered domain as:
www-booking-secure[.]com
Everything before it (booking.comんdetailんsecure-access.) is just a subdomain string.
Real-World Exploitation Examples
Example 1 — Hospitality Staff Targeting
An attacker could send a fake “urgent reservation update” email to hotel staff:
Please confirm this reservation update:
https://admin.booking.comんreservationんurgent.www-secure-booking-confirm[.]com
The staff, recognizing “admin.booking.com” at the start, might not check the rightmost registered domain.
Example 2 — Mobile User Trap
On mobile:
- Limited screen width may truncate the URL after
booking.comんdetail..., hiding the malicious registered domain. - The smaller font makes homoglyph differences even harder to spot.
Example 3 — Multi-Service Campaign
Attackers can pivot the homoglyph trick to other brands:
- Replacing
/or-with homoglyph equivalents in Google Docs, PayPal, or Microsoft login URLs. - Embedding homoglyphs inside QR codes sent to targets.
Defensive Recommendations
- Domain Awareness – Always check the rightmost domain segment before the first
/. - Security Awareness Training – Teach staff about homoglyph & homograph attacks.
- Email Filtering – Flag URLs containing suspicious Unicode characters.
- Endpoint Security – Ensure endpoint protection scans MSI and executable downloads.
- Browser Protections – Use security features that highlight mixed character sets in URLs.
This campaign proves that visual URL inspection is no longer sufficient. Attackers are using Unicode tricks that pass casual inspection and even evade some automated defenses, making technical validation of domain names a necessity.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.