Contact
Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
Home
Redhotcyber Banner Sito 970x120px Uscita 101125
It only took one too many! Phishing scam impersonating Booking.com using homoglyphics.

It only took one too many! Phishing scam impersonating Booking.com using homoglyphics.

15 August 2025 12:13

Attackers have started using an unusual trick to disguise phishing links, making them appear as Booking.com addresses. The new malware campaign uses the Japanese hiragana character “ん” (U+3093). In some fonts and interfaces, it visually resembles a slash, making the URL appear to be a normal path on the site, although it actually leads to a fake domain.

Researcher JAMESWT discovered that the link in phishing emails looks like this:

https://admin.booking.com/hotel/hoteladmin/…

But it actually directs the user to a type

https://account.booking.comんdetailんrestrict-access.www-account-booking.com/en/.

Everything before “www-account-booking[.]com” is just a subdomain that mimics the structure of the real site. The real registered domain belongs to the attackers. By clicking on it, the victim ends up on the

page

www-account-booking[.]com/c.php?a=0

which downloads a malicious MSI file from the CDN node updatessoftware.b-cdn[.]net.

According to analysis by MalwareBazaar and ANY.RUN , the installer distributes additional components, likely infostealers or remote access tools.

The technique relies on the use of homoglyphs, which are symbols that look like other symbols but belong to different alphabets or Unicode sets. Such symbols are often used in homograph and phishing attacks. An example is the Cyrillic “O” (U+041E), which is almost indistinguishable from the Latin “O” (U+004F). Despite browser and service developers adding protections against such substitutions, attacks continue to occur.

This isn’t the first time Booking.com has become a phishing bait. In March, Microsoft Threat Intelligence reported emails masquerading as a booking service that used the ClickFix technique to infect hotel employees’ computers. And in April, Malwarebytes researchers reported a similar scheme.

However, the use of homoglyphs like “ん” can fool even the most careful users, so it’s important to supplement caution with up-to-date antivirus software that can block the download of malicious content.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Sandro Sana 300x300
Member of the Red Hot Cyber Dark Lab team and director of the Red Hot Cyber Podcast. He has worked in Information Technology since 1990 and specialized in Cybersecurity since 2014 (CEH - CIH - CISSP - CSIRT Manager - CTI Expert). Speaker at SMAU 2017 and SMAU 2018, lecturer for SMAU Academy & ITS, and member of ISACA. He is also a member of the Scientific Committee of the national Competence Center Cyber 4.0, where he contributes to the strategic direction of research, training, and innovation activities in the cybersecurity.
Areas of Expertise: Cyber Threat Intelligence, NIS2, Security Governance & Compliance, CSIRT & Crisis Management, Research, Disclosure, and Cyber Culture
Visita il sito web dell'autore