Booking.com Phishing Campaign Targeting Hotels and Customers

SUMMARY :

A sophisticated phishing campaign is targeting the hospitality industry, specifically Booking.com partners and their customers. The attackers first compromise hotel administrators' systems using malware like PureRAT, gaining access to booking management accounts. They then use this access to conduct fraudulent schemes against hotel guests, tricking them into paying twice for their reservations. The campaign employs spear-phishing emails impersonating Booking.com, redirecting victims to malicious sites using the ClickFix social engineering tactic. The attackers leverage a complex infrastructure including compromised legitimate websites, traffic distribution systems, and bulletproof hosting. This operation is part of a broader cybercrime ecosystem targeting booking platforms, with various specialized services being offered on underground forums to facilitate these attacks.

OPENCTI LABELS :

purerat,booking.com,hospitality,clickfix,cybercrime,phishing,social engineering


AI COMMENTARY :

1. In recent months a sophisticated phishing campaign has emerged, targeting both Booking.com partners in the hospitality sector and their unsuspecting guests. The operation, first identified by threat intel analysts, revolves around the compromise of hotel administrators’ systems through a remote access trojan known as PureRAT. Once foothold is achieved, attackers leverage valid credentials to infiltrate booking management portals, gaining the capability to manipulate reservations and guest communications while remaining hidden under the guise of legitimate platform activity.

2. The primary attack vector hinges on carefully crafted spear-phishing emails that impersonate Booking.com. By adopting the familiar branding and tone of official communications, attackers lure hotel employees or administrators into clicking links that lead to malicious servers. The campaign employs a tactic dubbed ClickFix, a deceptive social engineering scheme that redirects victims from seemingly benign URLs to weaponized domains. These fraudulent sites then trigger malware downloads or harvest login credentials, providing the adversaries with direct access to critical backend systems.

3. At the heart of this threat lies a complex infrastructure comprising multiple tiers of compromised resources. Attackers exploit legitimate websites that have been quietly breached to act as intermediaries in their traffic distribution system. Under the cover of these legitimate domains, phishing pages are served to victims, making detection by security tools significantly more challenging. The operation further relies on bulletproof hosting services—hosting providers known for ignoring abuse complaints—to shield command-and-control servers and malware payload repositories from takedowns.

4. With stolen access to booking management accounts, the threat actors orchestrate a two-pronged fraud scheme. First, they create unauthorized reservation modifications and solicit advance payments directly from hotel guests. Next, they send follow-up emails requesting additional payments or claiming issues with the initial charges, effectively tricking guests into paying twice. Hotels, unaware of the malicious manipulations within their own systems, may only discover the fraud when complaints arrive from confused patrons who face unexpected multiple charges.

5. This phishing campaign forms part of a broader cybercrime ecosystem that caters to malicious actors targeting online booking platforms. Across underground forums, threat actors buy, sell, and rent services—from ready-made phishing kits branded as Booking.com to PureRAT customization services, bulletproof hosting packages, and fraudulent domain registrations. This specialization allows newcomers to launch highly targeted attacks with minimal technical skills, fueling a surge in similar campaigns against other hospitality services and travel agencies.

6. In response to this growing threat, hospitality organizations should adopt a multi-layered defense strategy. Implementing robust email filtering and link scanning can detect and quarantine phishing messages before they reach staff inboxes. Enforcing multi-factor authentication on booking management portals adds an essential barrier against unauthorized access. Regular endpoint and network monitoring will help identify anomalous activity associated with remote access trojans like PureRAT. Finally, ongoing security awareness training can equip employees with the critical skills needed to recognize and report spear-phishing attempts, reducing the risk of credential compromise and fraudulent schemes.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Booking.com Phishing Campaign Targeting Hotels and Customers