Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   Booking.com phishing campaign uses sneaky 'ん' character to trick you (http://txgate.io:443/showthread.php?t=51302700)

Artifact 08-15-2025 07:28 PM
<div id="post_message_809324">

Threat actors are leveraging a Unicode character to make phishing links appear like legitimate Booking.com links in a new campaign distributing malware.<br/>
<br/>
The attack makes use of the Japanese hiragana character, ん, which can, on some systems, appear as a forward slash and make a phishing URL appear realistic to a person at a casual glance.<br/>
<br/>
BleepingComputer has further come across an Intuit phishing campaign using a lookalike domain using the letter L instead of 'i' in Intuit.<br/>
<br/>
<b><font size="4">Booking.com phishing links using Japanese homoglyphs</font></b><br/>
<br/>
The attack, first spotted by security researcher <a href="https://x.com/JAMESWT_WT" target="_blank">JAMESWT</a>, abuses the Japanese hiragana character “ん” (Unicode U+3093), which closely resembles the Latin letter sequence '/n' or '/~', at a quick glance in some fonts. This visual similarity enables scammers to create URLs that appear to belong to the genuine Booking.com domain, but direct users to a malicious site.<br/>
<br/>
Below is a copy of the phishing email <a href="https://x.com/JAMESWT_WT/status/1955060839569870991" target="_blank">shared by</a> the security researcher:<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1164866/2025/Aug/booking.com-phishing/email.jpeg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Copy of phishing email shared by security researcher JamesWT

</td>
</tr>
</table>
</div>The text in the email, <i><a href="https://admin.booking.com/hotel/hoteladmin/" target="_blank">https://admin.booking.com/hotel/hoteladmin/</a></i>... itself is deceptive. While it may look like a Booking.com address, the hyperlink points to:<br/>
<br/>
<i><font color="Red">https://account.booking.comんdetailんrestric-access.www-account-booking.com/en/</font></i><br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1164866/2025/Aug/booking.com-phishing/booking-bleeping-url.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Phishing page as it appears in a web browser

</td>
</tr>
</table>
</div>When rendered in a web browser's address bar, the 'ん' characters can trick users into thinking they are navigating through a subdirectory of booking.com.<br/>
<br/>
In reality, the actual registered domain is <i>www-account-booking[.]com</i>, a malicious lookalike, and everything before that is just a deceptive subdomain string.<br/>
<br/>
Victims who click through are eventually redirected to:<br/>
<br/>
<i><font color="red">www-account-booking[.]com/c.php?a=0</font></i><br/>
<br/>
This in turn delivers a malicious MSI installer from a CDN link, <i><a href="https://updatessoftware.b-cdn" target="_blank">https://updatessoftware.b-cdn</a>[.]net/john/pr/04.08/IYTDTGTF.msi</i><br/>
<br/>
Samples of the malicious site are available on abuse.ch's <a href="https://bazaar.abuse.ch/browse/tag/www-account-booking--com/" target="_blank">MalwareBazaar</a>, with any.run <a href="https://app.any.run/tasks/35618d39-0189-4eec-87f0-ce918ecf95f4" target="_blank">analysis </a>showing the infection chain. The MSI file is used to drop further payloads, potentially including infostealers or remote access trojans.<br/>
<br/>
This phishing tactic exploits homoglyphs. A homoglyph is a character that looks similar to another character but belongs to a different character set or alphabet. These visually similar characters can be exploited in phishing attacks or to create misleading content. For example, Cyrillic character "О" (U+041E) may appear identical to the Latin letter "O" (U+004F) to a human, but they are different characters.<br/>
<br/>
Given their visual similarities, homoglyphs have been leveraged <a href="https://www.bleepingcomputer.com/news/security/hackers-abuse-lookalike-domains-and-favicons-for-credit-card-theft/" target="_blank">time and time again</a> by threat actors in <a href="https://www.bleepingcomputer.com/news/security/chrome-firefox-and-opera-vulnerable-to-undetectable-phishing-attack/" target="_blank">homograph attacks</a> and phishing emails. Defenders and software developers have also, over the last few years, r<a href="https://wiki.mozilla.org/IDN_Display_Algorithm" target="_blank">olled out security measures</a> that make it easy for users to distinguish between distinct homoglyphs.<br/>
<br/>
This isn't the first time threat actors have targeted Booking.com customers either.<br/>
<br/>
In March this year, Microsoft warned of phishing campaigns impersonating Booking.com and using ClickFix social engineering attacks to infect hospitality workers with malware.<br/>
<br/>
In 2023, Akamai revealed how hackers were redirecting hotel guests to<a href="https://www.bleepingcomputer.com/news/security/hotel-hackers-redirect-guests-to-fake-bookingcom-to-steal-cards/" target="_blank"> fake Booking.com sites</a> to steal credit card information.<br/>
<br/>
<b><font size="4">'Lntuit' not Intuit</font></b><br/>
<br/>
BleepingComputer's <a href="https://www.bleepingcomputer.com/author/sergiu-gatlan/" target="_blank">Sergiu Gatlan</a> spotted a separate phishing campaign involving users being targeted with Intuit-themed emails.<br/>
<br/>
These emails appear to come from and take you to <i>intuit.com addresses</i>, but instead use domains starting with <i>Lntuit</i>—which, in lowercase, can resemble "<i>intuit</i>" in certain fonts. A simple yet effective technique.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1164866/2025/Aug/booking.com-phishing/desktop-intuit.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Intuit phishing email from 'Lntuit.com' viewed on Mailspring for macOS (Sergiu Gatlan)

</td>
</tr>
</table>
</div>The unusually narrow layout of this email in desktop clients suggests it was primarily designed for mobile viewing, with attackers banking on mobile users clicking the "Verify my email" phishing link without closely inspecting it.<br/>
<br/>
The button takes users to: <i><font color="red">https://intfdsl[.]us/sa5h17/</font></i><br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1164866/2025/Aug/booking.com-phishing/mobile-intuit.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

How Intuit phishing email appears on mobile (Sergiu Gatlan)

</td>
</tr>
</table>
</div>Interestingly, the illicit link, when accessed directly i.e. not from the target user's email account appears to redirect the user back to the legitimate Intuit.com login page at <i><a href="https://accounts.intuit.com/app/sign-in" target="_blank">https://accounts.intuit.com/app/sign-in</a></i>.<br/>
<br/>
These incidents are a reminder that attackers will continue to find creative ways to abuse typography for social engineering.<br/>
<br/>
To protect yourself, always hover over links before clicking to reveal the true target.<br/>
<br/>
Users should always check the actual domain at the rightmost end of the address before the first single / — this is the real registered domain. Granted, the use of visually deceptive Unicode characters like 'ん' create additional hurdles, and demonstrates that visual URL inspection alone isn't foolproof.<br/>
<br/>
Keeping endpoint security software up to date adds another layer of defense against attacks since modern phishing kits often deliver malware directly, after a phishing link is clicked.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/bookingcom-phishing-campaign-uses-sneaky-character-to-trick-you" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 07:45 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.