Cyrillic Hooks: Unmasking the Phish in Plain Sight
Clicks Fuel Costly Phishing Breaches
Phishing attacks are very common and they are becoming more sophisticated. According to some studies there are an estimated 3.4 billion phishing emails sent out each day. Successful phishing attacks were reported to be the initial entrypoint for 34% of successful breaches.
The average data breach cost is $4.8 million dollars. In 60% of confirmed breaches a missclick or lapse in judgement was a factor in the successful phishing attack. Reliance on human error and the ease of creating a phishing campaign, this type of attack continues to be effective for hackers and their strategies are becoming more sophisticated.
Look Alike Letters Lead to Phishing Traps
Over the past couple of months there has been a bump in a newer type of phishing attack called a homograph attack. By using cyrillic script which uses different letters from other writing systems, attackers are able to create look alike URLs that visually look legitimate. Although the character is similar in style, but not exact, it can redirect users to malicious websites. From here malware can be deployed and forms can be used to enter user credentials or other data.
One example of this was with the lntuit[.]com domain. Attackers used the similarity between the lowercase L and capital I. Visually similar but malicious in nature.
A second example was with the popular Booking[.]com website. Attackers began using the Japanese letter “ん” because it looks like a forward slash. In the image below, you can see an example of how this was used.
*Image taken from Guru Baran’s article in Cyber Security News.
Pause, Verify, and Protect
The first line of defense will always be our community. If an email, text, or phone call seems out of place, take a pause, raise a red flag, and reach out to support.
If an email contains time sensitive instructions regarding users accounts or financial payments, first reach out to a trusted source using a verified communication method. Don’t respond to the malicious message.
Always look at who the email is coming from and verify that the email address is legitimate and not spoofed.
If a message is asking to follow a link, first hover the mouse over the link to see where the URL really goes. Just be careful not to fall for a homograph attack.
References and additional reading
https://deepstrike.io/blog/Phishing-Statistics-2025
https://cybersecuritynews.com/phishing-attack-uses-japanese-character/
https://www.pcmag.com/news/warning-watch-out-for-this-japanese-character-in-your-bookingcom-email