This Clever Phishing Scheme Makes Fake Websites Look Real
A common tip for spotting malicious links in emails or text messages is to carefully examine the web address itself, such as by hovering over it before clicking the link. Now, attackers are trying to trick even the most observant users by embedding similar characters into URLs. This makes the links appear to lead to a legitimate domain, but in fact leads to a site distributing malware.
Homograph Attack on Booking.com
As reported by BleepingComputer , security researchers have identified a campaign that inserts the Japanese hiragana character “ん” into URLs. At first glance, it may look like a combination of the slash “/” commonly used in links plus “n” or “~,” so nothing suspicious. Of course, the link is actually malicious. This is called a homoglyph or homograph attack, which uses characters that are similar across different character sets or alphabets.
The current scheme targets Booking.com customers with phishing emails that contain fake links. The URL appears to point to the real Booking.com address (https://account.booking.comんdetailんrestric-access.www-account-booking.com/en/), but thanks to a homoglyph, it actually redirects to a lookalike that installs malware on the user’s device. According to BleepingComputer, the malicious installer could install an info-stealer that could steal your login credentials, financial data, or personal information, or a remote access trojan that could allow attackers to access your device from afar.
This isn’t the first phishing scam to affect Booking.com users in recent months. Earlier this year, attackers created fake websites with malicious CAPTCHA forms designed to gain remote access to victims’ devices. Nor is this the only homograph attack currently active. BleepingComputer has discovered phishing emails that at first glance appear to be from software provider Intuit, but lead to domains using “Lntuit,” which can mislead users when viewed in lowercase in some fonts.
How to Avoid a Homograph Attack
Always hover over links in unsolicited emails, text messages, and social media posts, especially those with strong calls to action related to account security, to see the final URL before clicking. Obviously, the success of homograph attacks means that visual inspection is sometimes ineffective, but you should still carefully examine the entire URL for hidden characters. BleepingComputer also recommends paying special attention to the right end of the address before the first slash, which indicates the true final URL (e.g. www.lifehacker.com/).
Of course, the best thing to do is skip the links entirely and go directly to the website (or app) of the company you think you’re receiving the urgent message from. From there, log in to your account to review your security settings, reset your password, or take additional steps. Malwarebytes Labs notes that regularly updating your browser can also help protect against homograph attacks.