The actor of danger is taking advantage of a unicode character to appear like a fishing link that distributes malware in a new campaign in a new campaign.
The attack uses the Japanese Hirgana character, ん, which can appear on some systems, an forward slash and a fishing URL looks realistic to a person in a casual glance.
Bleepingcomputer has further come into an intuit phishing campaign, using a look domain using the letter L instead of ‘I’ in the intuit.
Booking.com using Japanese Homoglifs Fishing Link
Attack, first seen by security researcher GemsvetThe Japanese Hirgana character abuses “+3093), which is similar to the Latin letter sequence ‘/N’ or ‘/~’ at a quick glance in some fonts. This visual similarity enables scammers to create URLs that appear to be related to the actual booking.com domain, but direct users to a malicious site.
Below is a copy of the fishing email Shared by Security Researcher:
Lesson in email, Is misleading in itself. Although it may look like a booking.com address, the hyperlink indicates:
When presented in the address bar of a web browser, “varna users can try to think that they are navigating through the sub -guidelines of Booking.com.
In fact, the real registered domain is www-cossount-backing (.) comA malicious looks, and before everything is just a misleading subdoman string.
The victims clicking on the victims are eventually redirected:
www-account-booking(.)com/c.php?a=0
This in turn gives a malicious MSI installer from a CDN link, hts
Samples of malicious site are available at misuse. Malware marketWith someone. Analysis Showing the transition chain. The MSI file is used to leave forward payload, including potentially infostellers or remote access trojan.
This phishing strategy exploits symmetry. A symmetry is a character that looks similar to another character, but is related to a different character set or alphabet. These blind identical characters can be exploited in fishing attacks or to create misleading materials. For example, the cyarilic character “о” (U+041E) may look similar to the Latin letter “O” (U+004F) for a human, but they are different characters.
Given their visual similarities, Homoglifs has been taken advantage of time and time by the actors of danger in homeograph attacks and fishing emails. In the last few years, defenders and software developers also, Exclude safety measures This makes it easy for users to differentiate between different symmetry.
This is not the first time the danger actors have targeted Booking.com customers.
In March this year, Microsoft warned of fishing operations, which using Clickfix social engineering attacks to implement Booking.com and infect hospitality workers with Malware.
In 2023, Akamai revealed how the hackers were redirected to the hotel guests to fake booking.com sites for fake booking.
‘Lentuit’ is not intuit
Bleepingcomputer’s Sergi Gatlan saw a separate fishing campaign, in which users were targeted with intuit-themed emails.
These emails come to you and take you intuit.com Addresses, but use domains starting instead Lntuit-Which, in the lowercase, some fonts may have similar to “intuite”. A simple yet effective technique.
Unusually narrow layout of this email in desktop clients suggests that it was mainly designed to see the mobile, in which the “verify my email” with the attackers on mobile users “. Click on my email” without clicking on the fishing link without closely inspecting it.
Button takes users: https://intfdsl(.)us/sa5h17/
Interestingly, the illegal link, when the target is not directly accessed from the user’s email account, appears to the user back to redirect the valid intuit.com login page. https://acccounts.intuit.com/app/sign- in,
These incidents are a reminder that the attackers will continue to find creative ways to misuse typography for social engineering.
To protect yourself, always hover on the link before clicking to reveal the true goal.
Users should always examine the actual domain at the right end of the first single / from address – this is a real registered domain. Use of blind unicode characters such as “Di,” make additional obstacles, and shows that visual URL inspection is not silly alone.
The endpoint security software adds another layer of defense against updated attacks because modern fishing kits often distribute malware directly directly, after clicking on a fishing link.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
