A recent phishing campaign exploiting the reputation of Booking.com has surfaced, aiming to defraud hotels and guests by capturing sensitive information. This sophisticated operation deceives users through seemingly legitimate communications, eventually leading to financial theft and data exposure.
Initial Phishing Tactics
The scheme often begins with emails sent to hotel reservation or support addresses, encouraging staff to click on links regarding a supposed ‘complaint’ or room inquiry. Despite appearing genuine, these links redirect users to attacker-controlled sites that mimic legitimate pages to harvest login credentials.
Research by Bridewell has highlighted this financially driven campaign, which has been active since January 2026. Utilizing two distinct phishing kits, the operation unfolds in three stages: initial payload delivery, credential theft from hotel staff, and subsequent fraud targeting customers using stolen booking information.
Exploring the Multi-Stage Attack
The first stage involves phishing emails designed to lure hotel employees into engaging with the fraudulent chain. The attackers employ look-alike domains and redirect techniques, including a Cyrillic character trick in ‘booking,’ to deceive users. Once victims are misled onto fake portals, their credentials are captured, enabling further access to legitimate Booking.com partner accounts.
To avoid detection, the phishing kit uses a mechanism that fingerprints visitors. If the checks are unsuccessful, a decoy site is displayed. Successful checks redirect victims to a counterfeit partner login page, utilizing a ‘bookling’ subdomain and tokenized sign-in paths.
Consequences and Protective Measures
Subsequent to gaining access, perpetrators target guests by sending convincing WhatsApp messages containing accurate booking data, prompting them through a Cloudflare CAPTCHA to a fake payment page. This stage aims to exploit guests’ trust and urgency.
Hotels can mitigate such threats by enforcing multi-factor authentication (MFA) on partner accounts, restricting portal access, and treating unexpected complaint links with suspicion. Monitoring new sign-ins and unusual redirects can help detect account takeovers early. Additionally, email filters should be updated to block look-alike domains, and any abuse should be reported to registrars.
Guests are advised against making payments via chat-app links and should verify issues through official channels. If they suspect data compromise, they should promptly change passwords, contact their bank, and confirm with the hotel if their Booking.com account has been accessed.
Stay informed with the latest updates by following us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google for more instant updates.
.webp?ssl=1 "CISA Alerts on Active Exploitation of Google Chromium Vulnerability")
