Thousands of Fake Hotel Domains Used in Massive Phishing Campaign

SUMMARY :

A Russian-speaking threat actor has orchestrated a large-scale phishing campaign targeting travelers by registering over 4,300 domain names since early 2025. The sophisticated operation impersonates major travel brands like Airbnb and Booking.com to steal payment card data. The phishing sites use customized pages based on unique URL strings, fake CAPTCHA systems, and multilingual translations to appear legitimate. The campaign employs malicious emails with links that redirect through multiple sites before reaching the phishing page. The attacker consistently registers new domains, focusing on specific registrars and using naming conventions that incorporate travel-related terms and hotel names. The phishing kit includes real-time data collection and Russian language elements in the source code.

OPENCTI LABELS :

malspam,domain registration,phishing


AI COMMENTARY :

1. Introduction: A sweeping phishing campaign has emerged revealing the registration of over 4,300 counterfeit hotel and travel‐related domains since early 2025. The threat actor behind the operation speaks Russian and has meticulously crafted each facet of the attack to ensnare unwary travelers seeking accommodations. Victims are lured by emails that appear to originate from trusted travel platforms, with the ultimate goal of harvesting payment card details once they engage with the spoofed pages.

2. Domain Registration Strategy: The attacker focuses on specific registrars, exploiting relaxed verification processes to mass‐register domains that incorporate well‐known hotel names and generic travel terminology. By consistently deploying naming conventions that mirror legitimate brands such as Airbnb and Booking.com, the adversary sustains the illusion of authenticity. This relentless domain churn ensures that even if some sites are taken down, dozens more can spring up overnight to continue the subterfuge.

3. Phishing Site Tactics: Each phishing domain hosts a customized landing page that adapts its content to unique URL strings. Visitors are confronted with what appears to be a genuine booking interface featuring fake CAPTCHA challenges designed to lower suspicion. Multilingual translations, including perfectly rendered English alongside Russian text elements, enhance the site’s credibility and broaden the campaign’s reach to travelers worldwide.

4. Email Delivery and Redirect Chains: Malicious emails serve as the primary delivery mechanism for this campaign. Embedded links usher recipients through multiple redirect sites, obscuring the final destination until the last moment. This redirection labyrinth is a deliberate evasion technique that hinders security systems from flagging the payload early in its journey, increasing the likelihood that targets will proceed to the fraudulent booking page.

5. Threat Actor Toolkit and Data Collection: Behind the scenes, a sophisticated phishing kit powers real‐time data capture. Once a victim submits their payment card information, the details are immediately relayed back to the attacker’s infrastructure. Russian language snippets in the source code hint at the developer’s origin while global hosting services enable rapid deployment and scale. The kit’s modular design allows for swift modifications, such as changing branding assets or introducing new language support to expand the campaign’s effectiveness.

6. Defending Against the Campaign: Security teams should monitor incoming emails for indicators of compromised travel services and scrutinize URLs that contain minor misspellings or atypical domain suffixes. Implementing domain‐based message authentication, reporting and conformance (DMARC), along with robust web filtering and threat intelligence feeds, will help detect and block these fraudulent sites. End users must be trained to verify booking confirmations directly on official travel platforms and to exercise caution when prompted to complete unanticipated CAPTCHA or payment steps on emailed links.

7. Conclusion: The discovery of this large‐scale phishing operation underscores the importance of vigilance in the travel sector. Regular threat intelligence updates and proactive defense measures are essential to outpace adversaries who exploit the allure of discounted hotel rates. By understanding the tactics and infrastructure of such campaigns, organizations and individuals can better safeguard sensitive payment data and prevent costly security breaches.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Thousands of Fake Hotel Domains Used in Massive Phishing Campaign