Formosa Plastics Logo
Formosa USA / Inteplast SOC Team · Study Note
SOC Study Note · 04 / 16 / 2026
SOC Study Note · 04 / 16 / 2026

同形異義字攻擊 Demo
IDN Homograph Attack

IDN Homograph Attack
Awareness Demo

本 study note 取材自 BBC 最新報導的 Booking.com 資料外洩案例 —— 攻擊者如何結合 credential theftreservation hijackingIDN homograph spoofing,打造一條讓使用者幾乎無法察覺的 phishing kill chain。

This study note is based on BBC's reporting on the Booking.com data leak — how attackers chain credential theft, reservation hijacking, and IDN homograph spoofing into a phishing kill chain that victims cannot realistically detect.

📎 Source: bbc.com/news/articles/cly00jnnxypo

📎 Source: bbc.com/news/articles/cly00jnnxypo

▸ 現場實驗
▸ Live Experiment
下面兩個連結,哪一個是假的?
Which of these two links is fake?
⚠️ 點下去看網址列 —— 第二個會變成 xn--fpcus-8ve.com, 瀏覽器可能跳出警告。兩個連結顯示的文字在肉眼上幾乎無法分辨。
⚠️ Click and watch the address bar — the second becomes xn--fpcus-8ve.com, and your browser may warn you. To the human eye, the two links look identical.

完整攻擊鏈 · Attack Kill Chain

The Full Attack Kill Chain

很多人以為「使用者資料外洩」只是終端使用者自己不小心 —— 但實際上, 在 Booking.com 這種案例裡,受害者的資料是先從平台端被偷走的。 整條 kill chain 大致長這樣:

Most people assume user data leaks come from careless end-users. But in cases like Booking.com, victim data is first stolen from the platform side. The full kill chain looks like this:

01
Initial Access

攻擊 Booking.com 的飯店合作夥伴

Target Booking.com's hotel partners

攻擊者不直接打 Booking.com 主系統(太硬),而是鎖定它的 partner hotels。透過 spear phishing email (偽裝成 Booking.com 官方通知、客訴、訂單爭議)誘使飯店員工點擊連結, 在飯店內部端點植入 info-stealer malware(例如 Vidar、RedLine、Lumma)。

Attackers don't hit Booking.com's core systems (too hardened). They target partner hotels with spear phishing emails — posing as Booking.com support, guest complaints, or reservation disputes — to drop info-stealer malware (Vidar, RedLine, Lumma) onto hotel endpoints.

02
Credential Theft

竊取 Extranet 後台登入憑證

Steal Extranet admin credentials

Info-stealer 會抓取瀏覽器儲存的 credentialssession cookiesauthentication tokens。 攻擊者拿到飯店的 Booking.com Extranet admin panel 登入權限 —— 這是飯店管理訂房、聯絡房客、查看付款資料的後台。

Info-stealers exfiltrate browser-stored credentials, session cookies, and authentication tokens. Attackers gain access to the hotel's Booking.com Extranet admin panel — where reservations, guest messaging, and payment data live.

03
Dark Web Monetization

在暗網掛單,尋找買家或合作夥伴

Monetize on dark-web forums

BBC 報導指出,攻擊者在 dark web forums 張貼廣告, 願意花最高 $2,000 USD 收購飯店的 Extranet credentials。 這形成一個 Initial Access Broker(IAB) 的交易生態。

BBC reported that threat actors post ads on dark web forums, offering up to $2,000 USD per set of Extranet credentials. This forms a thriving Initial Access Broker (IAB) marketplace.

04
Reconnaissance

從後台取得使用者 PII 與訂房資料

Exfiltrate guest PII and reservation data

登入 Extranet 後,攻擊者可以看到所有房客的 Personally Identifiable Information (PII) —— 姓名、email、電話、入住 / 退房日期、訂房編號、部分信用卡資料。 這裡是整條鏈中最關鍵的一步:user 的資料在這個時間點就已經外洩了, 使用者本人還完全不知道。

Once inside the Extranet, attackers harvest guest Personally Identifiable Information (PII) — names, emails, phone numbers, check-in/out dates, booking IDs, partial card data. This is the critical pivot: user data is already compromised at this stage, and the victim has no idea.

05
Social Engineering

偽裝飯店,發送高擬真釣魚訊息(Reservation Hijacking)

Impersonate the hotel · Reservation Hijacking

攻擊者用被盜的 Extranet 帳號,透過 Booking.com 官方訊息系統 或 WhatsApp / SMS 聯絡房客,訊息裡精準寫出正確的飯店名、日期、訂房編號。 受害者正在等飯店聯絡、訊息又 100% 合法 —— 這就是 Norton 所稱的 "Reservation Hijacking",比傳統 phishing 威脅等級高出數倍。

Using stolen Extranet accounts, attackers message guests through Booking.com's official messaging system or WhatsApp/SMS, referencing real hotel names, dates, and booking IDs. The victim is expecting this message and it's 100% legitimate-looking — this is what Norton calls "Reservation Hijacking", orders of magnitude more dangerous than generic phishing.

06
◆ IDN Homograph ◆

訊息中夾帶同形異義字假連結

Embed an IDN homograph fake link

訊息裡的付款連結用 IDN homograph spoofing 偽裝 —— 例如 booking.com 裡的 o 被西里爾 о 取代, 實際會導向 xn--bking-qmb.com。 受害者肉眼看到的是熟悉的網址,點下去卻進入 attacker-controlled fake payment page,頁面視覺 100% 複製官網。

The payment link in the message uses IDN homograph spoofing — e.g. the o in booking.com replaced with Cyrillic о, actually resolving to xn--bking-qmb.com. The victim sees a familiar URL, but lands on an attacker-controlled fake payment page with pixel-perfect branding.

07
Impact

取得信用卡 / 誘導銀行轉帳

Harvest cards · Trigger wire transfers

在假的付款頁面,受害者輸入信用卡資料被 card skimming 擷取;或被誘導進行 wire transfer fraud。資金一旦離開帳戶,追回機率極低。 澳洲 ACCC 資料顯示此類攻擊年成長 580%

On the fake payment page, card data is captured via card skimming or the victim is pushed into a wire transfer fraud. Once funds leave the account, recovery is unlikely. Australia's ACCC reports this attack class has grown 580% year-over-year.

💡 關鍵洞察
💡 Key Insight

這條 kill chain 的可怕之處:前 5 步使用者完全無感。 當受害者看到釣魚訊息時,他們的資料已經在攻擊者手上好幾天甚至好幾週了。 訊息來自真的 booking.com、內容 100% 正確、連結用 homograph 偽裝 —— 這三個條件同時成立,單純靠使用者警覺幾乎不可能防禦。 必須靠 defense-in-depth:平台端的 credential hardening、 MFA、DMARC、DNS 監控、員工訓練、IDN 警告。

The terrifying part of this kill chain: steps 1–5 are invisible to the user. By the time the phishing message arrives, their data has been in attacker hands for days or weeks. The message comes from real booking.com, the content is 100% accurate, the link is homograph-spoofed — user vigilance alone cannot defend against this. Defense-in-depth is required: platform-side credential hardening, MFA, DMARC, DNS monitoring, security awareness training, and IDN warning systems.

為什麼肉眼看不出來?

Why can't you spot it?

第二個連結的 a 不是英文字母的 a(Unicode U+0061), 而是西里爾字母 (Cyrillic script) 的 а(U+0430)。 兩個 glyph(字形)在螢幕上一模一樣,但在電腦眼中是完全不同的 code point(碼位)

The a in the second link isn't the Latin letter a (U+0061) — it's the Cyrillic letter а (U+0430). They render identically on screen but are entirely different characters to a computer.

瀏覽器依照 IDN (Internationalized Domain Name) 標準 (RFC 3492 · Punycode)把含有非 ASCII 字元的網域轉成 xn-- 開頭的 ACE (ASCII Compatible Encoding) 形式。 所以實際連出去的網址是 xn--fpcus-8ve.com,而不是 fpcusa.com。 這種攻擊手法稱為 IDN Homograph Attack(同形異義字攻擊), 也被歸類為 homoglyph spoofing 的一種。

Behind the scenes, browsers convert non-Latin domains into Punycode — an ASCII encoding. So you're actually connecting to xn--fpcus-8ve.com, not fpcusa.com. This technique is called an IDN Homograph Attack.

拉丁字母
Latin
西里爾字母
Cyrillic
看起來
Looks like
a · U+0061
а · U+0430
一模一樣
Identical
c · U+0063
с · U+0441
一模一樣
Identical
e · U+0065
е · U+0435
一模一樣
Identical
o · U+006F
о · U+043E
一模一樣
Identical
p · U+0070
р · U+0440
一模一樣
Identical

攻擊者實際怎麼用

How attackers weaponize it

這也是 Booking.com 近幾年反覆被攻擊的原因 —— 使用者本來就在等飯店聯絡, 訊息裡又有正確的訂房資料,戒心降到最低。

This is the same pattern behind repeated Booking.com scams — victims are expecting hotel messages, the message contains real reservation details, and their guard is down.

怎麼保護自己

How to protect yourself