4,300 Fake Travel Websites are made by Russian Hackers to Steal Hotel Guests’ Payment Data
4,300 Fake Travel Websites are made by Russian Hackers to Steal Hotel Guests’ Payment Data
Since the beginning of the year, a Russian-speaking danger responsible for a continuous, widespread phishing campaign has registered over 4,300 domain names.
According to Andrew Brandt, a security researcher at Netcraft, the activity is intended to target clients in the hospitality sector, particularly hotel visitors who might have made trip arrangements using spam emails. Around February 2025, the campaign is supposed to have started in earnest.
685 of the 4,344 domains linked to the attack have the name “Booking,” followed by 18 with “Expedia,” 13 with “Agoda,” and 12 with “Airbnb,” suggesting an effort to target all well-known booking and rental platforms.
“The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website,” Brandt stated. “The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com.”
The attack starts with a phishing email that asks users to click on a website and use a credit card to confirm their reservation within the next 24 hours. After starting a series of redirects, individuals who fall for the bait are directed to a phony website. In order to provide the impression of credibility, these fraudulent websites consistently name their domains using terms like confirmation, booking, guestcheck, cardverify, or reservation.
Threat actors can cast a wide net because the pages support 43 different languages. The victim is then prompted on the page to submit their card details in order to pay a deposit for their hotel stay. A blank page is displayed to any user who tries to visit the page directly without a unique identification known as AD_CODE. In order to trick the victim, the fraudulent websites additionally include a phony CAPTCHA check that imitates Cloudflare.
“After the initial visit, the AD_CODE value is written to a cookie, which ensures that subsequent pages present the same impersonated branding appearance to the site visitor as they click through pages,” Netcraft explained. This implies that altering the “AD_CODE” value in the URL results in a page on the same booking platform that targets a different hotel.
The page attempts to process a transaction in the background as soon as the card details, expiration information, and CVV number are entered. Meanwhile, a “support chat” window appears on the screen with instructions to finish a purported “3D Secure verification for your credit card” to prevent fraudulent bookings.
Although the threat organization responsible for the campaign is still unclear, the usage of Russian in source code comments and debugger output either suggests where they came from or is an effort to appeal to potential buyers of the phishing kit who would want to modify it to meet their needs.
The revelation follows Sekoia’s warning of a widespread phishing campaign aimed at the hospitality sector, which entices hotel managers to ClickFix-style websites in order to obtain their login credentials through the use of malware such as PureRAT. Following this, hotel customers are contacted via email or WhatsApp with their reservation details and are asked to confirm their reservation by clicking on a link.
It’s interesting to note that one of the indications supplied by the French cybersecurity business, guestverifiy5313-booking[.]com/67122859, fits the domain pattern registered by the threat actor, such as verifyguets71561-booking[.]com, suggesting a potential connection between these two activity clusters. When contacted for comment, Netcraft told The Hacker News that they seem to be the same campaign and that it is “seeing significant overlap.”
Large-scale phishing efforts have also impersonated a number of companies in recent weeks, including Microsoft, Adobe, WeTransfer, FedEx, and DHL, in order to obtain login credentials by sending out HTML documents via email. When the embedded HTML files are launched, they show a phony login page while JavaScript code records the victim’s credentials and transmits them straight to Telegram bots under the attacker’s control, according to Cyble.
Numerous organizations throughout Central and Eastern Europe, especially in the Czech Republic, Slovakia, Hungary, and Germany, have been the primary targets of the effort.
“The attackers distribute phishing emails posing as legitimate customers or business partners, Fake Travel Websites, requesting quotations or invoice confirmations,” the business stated. “This regional focus is evident through targeted recipient domains belonging to local enterprises, distributors, government-linked entities, and hospitality firms that routinely process RFQs and supplier communications.”
In a similar attempt to steal sensitive data and payment information by sending emails alerting clients of Aruba S.p.A., one of the biggest web hosting and IT service providers in Italy, phishing kits have also been used in a large-scale campaign.
The phishing kit is a “fully automated, multi-stage platform designed for efficiency and stealth,” according to Ivan Salipur and Federico Marazzi, researchers of Group-IB. It leverages Telegram bots to exfiltrate stolen passwords and payment details, pre-fills victim data to boost believability, and uses CAPTCHA filtering to avoid security scans. Industrial-scale credential theft is the sole purpose of each function.
These results highlight the increasing demand in the black market for phishing-as-a-service (PhaaS) services, which allow threat actors with little to no technical know-how to launch large-scale attacks.
“The automation observed in this particular kit exemplifies how phishing has become systematized – faster to deploy, harder to detect, and easier to replicate,” the business from Singapore stated. “What once required technical expertise can now be executed at scale through pre-built, automated frameworks.”
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
OpenAI says ‘ChatGPT GPT-5.1’ Will Be Smarter, More Interactive
About Author
English