In the evolving phishing landscape, attackers don’t need high-level exploits—they only need one cunning trick: swap in a lookalike character that fools the human eye. As detailed recently in BleepingComputer, Booking.com users recently fell victim to one such campaign that leveraged the Japanese Hiragana “ん” (Unicode U+3093) to masquerade as a familiar URL path. It’s no text-only illusion; this is phishing with precision.
In deceptive emails, recipients saw what looked like:
https://admin.booking.com/hotel/hoteladmin/...
But the actual hyperlink pointed to a string like:
https://account.booking.comんdetailんrestric-access.www-account-booking.com/en/
In some fonts, that “ん” visually mimics “/n” or “/~”—so users believe they’re navigating within Booking.com. In truth, the registration ends with www-account-booking[.]com—a malicious look-alike domain, with the rest serving only as a faux subdomain “cloak” to misdirect the eye. Victims are then redirected to:
www-account-booking[.]com/c.php?a=0
Which initiates a download of a malicious MSI installer via:
https://updatessoftware.b-cdn[.]net/john/pr/04.08/IYTDTGTF.msi
Once executed, the installer drops infostealers or remote access trojans, per malwarebazaar and Any.run analyses.
A simultaneous campaign targeted Intuit users—not by Unicode, but by typography. Attackers substituted the lowercase “i” with a lowercase “L” in domains like lntuit.com, nearly indistinguishable in many fonts—especially on mobile screens. Narrow email layouts encouraged quick taps on “verify my email” without inspection. Interestingly, opening the link directly sometimes redirects to the legitimate Intuit login page—a layer of deception to mask the fraud if clicked outside the phishing message context.
This is classic homoglyph phishing: exploiting similarity between dissimilar characters—here, Japanese ん vs slash-like shapes, or “l” vs “i”—to trick users exploiting their inattention and devices' text rendering quirks.
Modern MFA methods fall apart under real-time relay attacks using such phishing. When users input credentials on a pixel-perfect fake, the attack proxies requests to the real site—mirroring login, triggering MFA push or OTP, then relaying approval. The user sees a successful login. The attacker gains full access. The user—and the system—never know they were duped.
SMS codes, TOTPs, push approvals and basic passkeys all fail here: none verify the website origin, and users can’t tell the difference. These methods assume the user can spot a fake—but when it’s flawless, that trust is fatal.
Token Ring and Token BioStick are architected to counter exactly this class of attack. Here’s why the relay chain collapses:
Thanks to generative AI and accessible phishing kits, launching hundreds of pixel-perfect phishing pages, complete with Unicode or typographic traps, is trivially easy. Defenders and awareness training simply can’t keep up. Even security teams warn users to stop trusting SMS and push as secure MFA—they’re being bypassed every day.
The reality is brutal: Legacy MFA and Auth Apps are no defense—they are the attack vector.
Phishing is evolving and getting more precise. Homoglyph attacks using “ん” to mimic directory paths or “l” to fake “i” are becoming weaponized tricks, impossible for users to reliably detect. And when these meet real-time relay proxies, traditional MFA falls apart.
But defenders aren’t powerless. With Token’s domain-bound, biometric, proximity-based authentication, these phishing chains are dead on arrival. No credentials, no approvals, no relay—just failure. Token isn’t one more tool in the belt. It’s the deadbolt that these attacks fail to bypass.
Legacy MFA is overmatched. USB security keys were a step, but fall far short of zero-trust ideals. Token is the only way to turn the dial on phishing—now and for good.
Speak with an Expert to learn how Token can protect your organization or -