Pixel-Perfect Phishing Meets Unicode Trickery

How “ん” And Clever Domain Spoofing Are Bypassing Legacy MFA — And Why Only Token Shuts The Door

In the evolving phishing landscape, attackers don’t need high-level exploits—they only need one cunning trick: swap in a lookalike character that fools the human eye. As detailed recently in BleepingComputer, Booking.com users recently fell victim to one such campaign that leveraged the Japanese Hiragana “ん” (Unicode U+3093) to masquerade as a familiar URL path. It’s no text-only illusion; this is phishing with precision.

How The Attack Plays Out

In deceptive emails, recipients saw what looked like:

https://admin.booking.com/hotel/hoteladmin/...

But the actual hyperlink pointed to a string like:

https://account.booking.comんdetailんrestric-access.www-account-booking.com/en/

In some fonts, that “ん” visually mimics “/n” or “/~”—so users believe they’re navigating within Booking.com. In truth, the registration ends with www-account-booking[.]com—a malicious look-alike domain, with the rest serving only as a faux subdomain “cloak” to misdirect the eye. Victims are then redirected to:

www-account-booking[.]com/c.php?a=0

Which initiates a download of a malicious MSI installer via:

https://updatessoftware.b-cdn[.]net/john/pr/04.08/IYTDTGTF.msi

Once executed, the installer drops infostealers or remote access trojans, per malwarebazaar and Any.run analyses.

Two Phishing Scams, One Deceptive Technique

A simultaneous campaign targeted Intuit users—not by Unicode, but by typography. Attackers substituted the lowercase “i” with a lowercase “L” in domains like lntuit.com, nearly indistinguishable in many fonts—especially on mobile screens. Narrow email layouts encouraged quick taps on “verify my email” without inspection. Interestingly, opening the link directly sometimes redirects to the legitimate Intuit login page—a layer of deception to mask the fraud if clicked outside the phishing message context.

This is classic homoglyph phishing: exploiting similarity between dissimilar characters—here, Japanese ん vs slash-like shapes, or “l” vs “i”—to trick users exploiting their inattention and devices' text rendering quirks.

Why Legacy MFA Can’t Stop These

Modern MFA methods fall apart under real-time relay attacks using such phishing. When users input credentials on a pixel-perfect fake, the attack proxies requests to the real site—mirroring login, triggering MFA push or OTP, then relaying approval. The user sees a successful login. The attacker gains full access. The user—and the system—never know they were duped.

SMS codes, TOTPs, push approvals and basic passkeys all fail here: none verify the website origin, and users can’t tell the difference. These methods assume the user can spot a fake—but when it’s flawless, that trust is fatal.

Why Only Token Stops It Cold

Token Ring and Token BioStick are architected to counter exactly this class of attack. Here’s why the relay chain collapses:

1. Origin Binding
   Every Token login is cryptographically bound to the exact domain it was registered on. When faced with www-account-booking.com or lntuit.com, Token refuses to respond. The spoofed site can’t trick the device into signing.
2. Biometric Verification
   Every Token login requires a live fingerprint. Remote relays and copied sessions fail outright.
3. Proximity Enforcement
   Token devices only operate when physically near the login device. Remote attackers never bridge that gap.
4. No Shared Secrets
   Unlike SMS codes or OTPs, Token never shares reusable credentials. The private key never leaves the device. There’s nothing to intercept, replay, or relay.
5. Silent Failure
   Spoofed sites simply get no response. The attacker gets nothing, the user sees failure, and no confusion or misleading success screens allow stealthy intrusion.

What This Means Now

Thanks to generative AI and accessible phishing kits, launching hundreds of pixel-perfect phishing pages, complete with Unicode or typographic traps, is trivially easy. Defenders and awareness training simply can’t keep up. Even security teams warn users to stop trusting SMS and push as secure MFA—they’re being bypassed every day.

The reality is brutal: Legacy MFA and Auth Apps are no defense—they are the attack vector.

Conclusion

Phishing is evolving and getting more precise. Homoglyph attacks using “ん” to mimic directory paths or “l” to fake “i” are becoming weaponized tricks, impossible for users to reliably detect. And when these meet real-time relay proxies, traditional MFA falls apart.

But defenders aren’t powerless. With Token’s domain-bound, biometric, proximity-based authentication, these phishing chains are dead on arrival. No credentials, no approvals, no relay—just failure. Token isn’t one more tool in the belt. It’s the deadbolt that these attacks fail to bypass.

Legacy MFA is overmatched. USB security keys were a step, but fall far short of zero-trust ideals. Token is the only way to turn the dial on phishing—now and for good.

Speak with an Expert to learn how Token can protect your organization or -