A common piece of advice for identifying malicious links in emails or text messages is to look closely at the web address itself, such as by hovering over the URL before clicking through. Now, threat actors are attempting to fool even those with a critical eye by embedding lookalike characters in these URLs, so that links appear to direct to a legitimate domain but actually take you to a website that distributes malware.
A homograph attack targeting Booking.com
As reported by BleepingComputer , security researchers have identified a campaign that inserts the Japanese hiragana character “ん” into URLs. At a glance, this can look like a combination of the forward slash “/” commonly used in links, plus either “n” or “~,” so nothing seems suspicious. Of course, the link is actually malicious. This is known as a homoglyph or homograph attack, which exploits characters that look similar across different symbol sets or alphabets.
The current scheme targets Booking.com customers via phishing emails that contain fake links. The URL appears to go to a legitimate Booking.com address (https://account.booking.comんdetailんrestric-access.www-account-booking.com/en/) but, thanks to the homoglyph, actually redirects to a lookalike that delivers malware to the user’s device. According to BleepingComputer, the malicious installer may deliver an infostealer, which could scrape your device for login credentials, financial data, or personal information; or a remote access trojan, which could allow bad actors to take over your machine from afar.
This isn’t the first phishing scam affecting Booking.com users in recent months. Earlier this year, threat actors set up spoofed websites with malicious CAPTCHA forms aimed at gaining remote access to victims’ devices. It also isn’t the only homograph attack currently running. BleepingComputer has identified phishing emails that, at first glance, appear to be from software provider Intuit, but direct to domains using “Lntuit,” which may fool users when viewed in lowercase in some fonts.
How to avoid a homograph attack
Always hover over links in unsolicited emails, texts, and social media messages—especially those with urgent calls to action related to account security—to see the destination before clicking through. Obviously, the success of homograph attacks means that visual inspection sometimes fails, but you should still carefully review the entire URL for any sneaky characters that may be hiding. BleepingComputer also advises that extra attention should be paid to the rightmost end of the address before the first forward slash, which indicates the true destination. (www.lifehacker.com/ for example).
Of course, it’s best practice to skip links entirely and go directly to the website (or app) of the company you’ve supposedly received this urgent message from. From there, log into your account to view security settings, reset your password, or take additional actions. Malwarebytes Labs notes that keeping your browser up to date may also help protect against homograph attacks.
