Menace actors are leveraging a Unicode character to make phishing hyperlinks appear as if respectable Reserving.com hyperlinks in a brand new marketing campaign distributing malware.
The assault makes use of the Japanese hiragana character, ん, which may, on some techniques, seem as a ahead slash and make a phishing URL seem lifelike to an individual at an informal look.
BleepingComputer has additional come throughout an Intuit phishing marketing campaign utilizing a lookalike area utilizing the letter L as an alternative of ‘i’ in Intuit.
Reserving.com phishing hyperlinks utilizing Japanese homoglyphs
The assault, first noticed by safety researcher JAMESWT, abuses the Japanese hiragana character “ん” (Unicode U+3093), which intently resembles the Latin letter sequence ‘/n’ or ‘/~’, at a fast look in some fonts. This visible similarity permits scammers to create URLs that seem to belong to the real Reserving.com area, however direct customers to a malicious web site.
Under is a duplicate of the phishing e mail shared by the safety researcher:
The textual content within the e mail, https://admin.reserving.com/resort/hoteladmin/… itself is misleading. Whereas it could appear to be a Reserving.com tackle, the hyperlink factors to:
https://account.reserving.comんdetailんrestric-access.www-account-booking.com/en/
When rendered in an online browser’s tackle bar, the ‘ん’ characters can trick customers into considering they’re navigating by way of a subdirectory of reserving.com.
In actuality, the precise registered area is www-account-booking[.]com, a malicious lookalike, and every thing earlier than that’s only a misleading subdomain string.
Victims who click on by way of are finally redirected to:
www-account-booking[.]com/c.php?a=0
This in flip delivers a malicious MSI installer from a CDN hyperlink, https://updatessoftware.b-cdn[.]internet/john/pr/04.08/IYTDTGTF.msi
Samples of the malicious web site can be found on abuse.ch’s MalwareBazaar, with any.run evaluation displaying the an infection chain. The MSI file is used to drop additional payloads, doubtlessly together with infostealers or distant entry trojans.
This phishing tactic exploits homoglyphs. A homoglyph is a personality that appears just like one other character however belongs to a distinct character set or alphabet. These visually related characters may be exploited in phishing assaults or to create deceptive content material. For instance, Cyrillic character “О” (U+041E) could seem similar to the Latin letter “O” (U+004F) to a human, however they’re completely different characters.
Given their visible similarities, homoglyphs have been leveraged time and time once more by risk actors in homograph assaults and phishing emails. Defenders and software program builders have additionally, over the previous couple of years, rolled out safety measures that make it simple for customers to tell apart between distinct homoglyphs.
This is not the primary time risk actors have focused Reserving.com clients both.
In March this yr, Microsoft warned of phishing campaigns impersonating Reserving.com and utilizing ClickFix social engineering assaults to contaminate hospitality staff with malware.
In 2023, Akamai revealed how hackers had been redirecting resort visitors to pretend Reserving.com websites to steal bank card info.
‘Lntuit’ not Intuit
BleepingComputer’s Sergiu Gatlan noticed a separate phishing marketing campaign involving customers being focused with Intuit-themed emails.
These emails seem to return from and take you to intuit.com addresses, however as an alternative use domains beginning with Lntuit—which, in lowercase, can resemble “intuit” in sure fonts. A easy but efficient method.
The unusually slender structure of this e mail in desktop shoppers suggests it was primarily designed for cell viewing, with attackers banking on cell customers clicking the “Confirm my e mail” phishing hyperlink with out intently inspecting it.
The button takes customers to: https://intfdsl[.]us/sa5h17/
Apparently, the illicit hyperlink, when accessed straight i.e. not from the goal person’s e mail account seems to redirect the person again to the respectable Intuit.com login web page at https://accounts.intuit.com/app/sign-in.
These incidents are a reminder that attackers will proceed to search out inventive methods to abuse typography for social engineering.
To guard your self, all the time hover over hyperlinks earlier than clicking to disclose the true goal.
Customers ought to all the time examine the precise area on the rightmost finish of the tackle earlier than the primary single / — that is the true registered area. Granted, the usage of visually misleading Unicode characters like ‘ん’ create extra hurdles, and demonstrates that visible URL inspection alone is not foolproof.
Preserving endpoint safety software program updated provides one other layer of protection towards assaults since trendy phishing kits usually ship malware straight, after a phishing hyperlink is clicked.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.
