Hackers Impersonate Marriott in New ‘rn Typo Trick
A sophisticated “homoglyph” phishing campaign is currently targeting customers of Marriott International and Microsoft. Attackers are registering fraudulent domains that replace the...
A sophisticated “homoglyph” phishing campaign is currently targeting customers of Marriott International and Microsoft. Attackers are registering fraudulent domains that replace the letter “m” with the combination “rn” (r + n), creating fake websites that appear nearly identical to the legitimate ones.
Table Of Content
This technique, known as typosquatting or a homoglyph attack, exploits the way modern fonts display text. In many fonts, the letters “r” and “n” are placed next to each other (rn) look visually indistinguishable from the letter “m” (m).
Hackers rely on this visual trick to bypass your brain’s ability to spot errors. When you glance quickly at a URL like rnarriottinternational.com, your brain often “autocorrects” what it sees, assuming it says “Marriott”.
Recent Campaigns Identified
Marriott International Targeted
Security firm Netcraft recently identified a cluster of malicious domains attempting to impersonate the hotel giant. These domains are likely used to steal loyalty account credentials or personal guest data.
- The primary domain identified is
rnarriottinternational.com. - Attackers have also registered variations like
rnarriotthotels.comto target specific hotel brands.
Microsoft Users Under Fire
Harley Sugarman, CEO of the security firm Anagram, highlighted a similar campaign targeting Microsoft users. Phishing emails in this campaign use the domain rnicrosoft.com to send fake security alerts or invoice notifications.
- These emails mimic the official Microsoft logo, tone, and layout.
- The attack is particularly dangerous on mobile devices, where small screens make the “rn” vs. “m” difference almost impossible to see.
Indicators of Compromise (IOCs)
The following domains have been flagged as malicious. Security teams should block these immediately, and users should be wary of any links directing to them.
| Phishing Domain | Impersonated Service | Typosquatting Technique | Detection Difficulty |
|---|---|---|---|
rnarriottinternational.com |
Marriott International | ‘m’ replaced with ‘rn’ | Critical |
rnarriotthotels.com |
Marriott Hotels | ‘m’ replaced with ‘rn’ | Critical |
rnicrosoft.com |
Microsoft 365 / Login | ‘m’ replaced with ‘rn’ | High (Mobile) |
micros0ft.com |
Microsoft | ‘o’ replaced with ‘0’ | Medium |
microsoft-support.com |
Microsoft Support | Hyphenation / Suffix | Low |
How to Stay Safe
- Expand the Sender Address: On mobile email apps, tap the sender’s name to reveal the full email address. Look closely for the “rn” trick.
- Hover Before You Click: On a computer, hover your mouse cursor over links without clicking to see the actual destination URL.
- Manual Entry: If you receive an urgent email about a hotel booking or account reset, do not click the link. Open a browser and type
marriott.comormicrosoft.comyourself. - Use Password Managers: A password manager will not auto-fill your credentials on a fake site like
rnicrosoft.combecause it recognizes that the domain is different from the real one.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.