A sophisticated phishing campaign orchestrated by Russian-speaking threat actors has been uncovered, involving the creation of over 4,300 fake travel websites. These fraudulent sites are designed to impersonate popular booking platforms and trick hotel guests into divulging their sensitive payment information. The operation, which began in early 2025, highlights the growing trend of phishing-as-a-service and its potential for large-scale credential theft.

Key Takeaways

• Over 4,300 fake travel domains have been registered to target hotel guests.

• The campaign impersonates major brands like Booking.com, Expedia, and Airbnb.

• A sophisticated phishing kit customizes pages based on URL parameters and supports 43 languages.

• Attackers aim to steal credit card details through fake booking confirmation emails.

The Scope of the Attack

Security researchers have identified a massive phishing operation that has registered more than 4,300 domain names since the start of the year. The primary targets are customers of the hospitality industry, specifically hotel guests who may have upcoming travel reservations. The campaign appears to have intensified around February 2025.

Of the registered domains, a significant number include keywords associated with popular travel platforms. For instance, 685 domains contain "Booking," 18 have "Expedia," 13 feature "Agoda," and 12 use "Airbnb." This indicates a deliberate effort to ensnare users across various booking and rental services.

Sophisticated Phishing Tactics

The campaign employs a highly customized phishing kit. When a target clicks on a link in a phishing email, they are subjected to a chain of redirects before landing on a fake website. These bogus sites are designed to mimic legitimate booking platforms, using familiar logos and consistent naming patterns for their domains, such as "confirmation," "booking," "guestcheck," "cardverify," or "reservation," to create an illusion of authenticity.

The fake pages support 43 different languages, allowing the threat actors to cast a wide net globally. Victims are prompted to pay a deposit for their hotel reservation by entering their credit card information. A unique identifier in the URL, known as an "AD_CODE," customizes the presented branding. Changing this code can lead to pages impersonating different hotels on the same booking platform.

Deception and Data Exfiltration

Once a victim enters their card details, including the expiration date and CVV, the page attempts to process a transaction in the background. Simultaneously, a fake "support chat" window appears, guiding the user through a supposed "3D Secure verification" process to further deceive them. The phishing kit also features a fake CAPTCHA check that mimics Cloudflare to build false confidence.

The identity of the threat group remains unknown, but comments within the source code suggest a Russian-speaking origin or an attempt to cater to potential buyers of the phishing kit. This operation shares similarities with other recent large-scale phishing campaigns targeting various industries, highlighting the evolving landscape of cyber threats.

Potential Links to Other Campaigns

This discovery comes shortly after Sekoia warned of a similar phishing campaign targeting the hospitality sector, which involved luring hotel managers to fake pages to harvest credentials and deploy malware. There is a possibility that these two clusters of activity are related, given the overlap in tactics and targets. The increasing use of sophisticated, automated phishing kits underscores the industrialization of cybercrime, making it easier for less technically skilled individuals to conduct large-scale attacks.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Russian Hackers Create 4,300 Fake Travel Sites to Steal Hotel Guests' Payment Data, The Hacker News.

• Massive Phishing Attack Impersonate as Travel Brands Attacking Users with 4,300 Malicious Domains, CyberSecurityNews.