Security researchers have uncovered a sophisticated new phishing campaign that exploits the Japanese hiragana character “ん” to create deceptively authentic-looking URLs that can fool even vigilant internet users.
The attack, first identified by security researcher JAMESWT, targets explicitly customers of the popular travel booking platform Booking.com.
The malicious technique leverages the visual similarity between the Japanese character “ん” (Unicode U+3093) and the forward slash (“/”) character in certain fonts and systems.
When rendered in web browsers, URLs containing this character can appear virtually identical to legitimate subdirectory paths, creating an almost perfect illusion of authenticity.
How the Phishing Attack Works
The phishing campaign uses URLs that appear to be legitimate Booking[.]com addresses, such as what looks like “https://account.booking[.]com/detail/restric-access.www-account-booking[.]com/en/”.
However, upon closer examination, the forward slashes are actually replaced with the Japanese “ん” character, making the real destination a completely different domain: www-account-booking[.]com.
“This visual deception is particularly dangerous because it bypasses traditional security awareness training,” explains a cybersecurity expert in an analysis from recent threat intelligence reports. “Users who have been taught to carefully examine URLs may still fall victim because the spoofed address appears legitimate at first glance.”
According to Cybersecuritynews.com analysis with ANY.RUN sandbox reveals that the attack begins with phishing emails that direct victims to these disguised URLs.
Once users click through, they are eventually redirected to malicious sites that deliver MSI installer files containing malware, potentially including information stealers and remote access trojans.
This Booking[.]com-focused campaign represents the latest evolution in homograph attacks, where cybercriminals exploit visually similar characters from different Unicode character sets to deceive users. The technique builds on years of similar attacks using Cyrillic characters to mimic Latin letters in domain names.
According to the 2025 Phishing Trends Report, homograph attacks have become increasingly sophisticated as cybercriminals seek new ways to bypass email filters and security tools.
The use of the Japanese “ん” character is particularly clever because it maintains visual consistency while circumventing many existing detection systems.
Security experts recommend several protective measures against these Unicode-based attacks. Users should hover over links before clicking to reveal the actual destination URL, though this technique has limitations when dealing with sophisticated character spoofing.
Modern browsers like Chrome have implemented protections against many homograph attacks, but security researchers emphasize that visual URL inspection alone is no longer foolproof.
The most effective defense combines updated security software, email filtering, and user education about these evolving attack vectors.
As phishing campaigns continue to evolve, this Japanese character exploitation demonstrates how cybercriminals constantly adapt their techniques to exploit even the smallest visual ambiguities in digital communication systems.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
