Hackers are making use of deceptive-looking Japanese characters to confuse people and infect Booking.com users with malware.
The phishing campaign, first spotted by Bleeping Computer, uses the Japanese letter “ん,” which can, particularly in some fonts, look pretty similar to a forward slash if you’re not paying close attention. Strange-looking links and URLs, which differ from the authentic website, are one of the best-known indications of a phishing attack. But using this technique allows scammers to get users to click on a link without noticing it isn’t the real deal.
According to screencaps shared on X by independent security researcher JAMESWT, the fake emails sent to victims contain legitimate-looking links. However, the hyperlink embedded in the link is fake and redirects them to a malicious copy of the Booking.com website. As the fake link uses these Japanese “ん” characters instead of the conventional English language characters for a forward slash, it can avoid detection.
This Tweet is currently unavailable. It might be loading or has been removed.
Unsuspecting users are then taken through a series of different web pages, before an MSI file is used to spread malicious payloads such as infostealers or remote access trojans.
Homoglyphs—characters in certain alphabets which closely resemble letters in other alphabets—have been widely exploited by cybercriminals in recent years.
In February 2025, researchers at Trend Micro uncovered a phishing campaign targeting Ukrainian organizations that exploited the visual similarity between the Cyrillic letter “С” and the Latin letter “C” to spoof links. The Cyrillic alphabet, which is used in languages like Russian, Ukrainian, and Bulgarian, has many characters in common with English, but often with slight variations in form, sounds, and meanings.
Recommended by Our Editors
In that campaign, these deceptive characters tricked users into clicking on fake Microsoft Word .doc files, covertly sneaking in the Cyrillic “С,” and triggering an exploit in the process.
But cybercriminals don’t even need to leverage exotic foreign languages for these types of homograph attacks to work. Another Bleeping Computer journalist recently spotted a phishing campaign targeting users of the popular accounting tool Intuit. The hackers exploited the visual similarity between the lowercase letter “l” and the lowercase letter “i” to trick users into trusting phishing emails with the @lntuit.com ending. ]
I Used Google’s Gemini AI to Plan a Vacation: Here’s How
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Will McCurdy
Contributor
