A sophisticated phishing campaign orchestrated by a Russian-speaking threat group has established over 4,300 fraudulent travel websites, aiming to steal payment information from hotel guests.
Since February 2025, this extensive operation has targeted major online travel platforms, including Booking, Expedia, Agoda, and Airbnb, leveraging a custom phishing kit to create highly convincing fake booking sites. The scale of this campaign, as revealed by Netcraft, underscores a growing threat to the hospitality industry and its customers.
The campaign initiates with phishing emails prompting recipients to confirm hotel reservations within 24 hours, often requiring credit card details. Upon clicking a malicious link, victims are redirected through a chain of websites before landing on a meticulously crafted phishing page. These bogus sites employ consistent naming patterns featuring terms like ‘confirmation,’ ‘booking,’ and ‘reservation’ to mimic legitimate travel portals. Andrew Brandt, a security researcher at Netcraft, highlighted the sophistication of the phishing kit, noting its ability to customize pages with logos from major brands like Airbnb and Booking.com, based on unique URL strings.
The attackers have registered 4,344 domains for this purpose, with 685 containing ‘Booking’, 18 with ‘Expedia’, 13 with ‘Agoda’, and 12 with ‘Airbnb’, demonstrating a broad targeting strategy. These fake pages are designed to support 43 different languages, significantly expanding the potential victim pool. The primary objective is to trick users into entering their payment information under the guise of paying a deposit for their hotel reservation. The use of multiple redirection steps and carefully constructed domain names aims to bypass security measures and deceive unsuspecting travelers.
This incident highlights the persistent evolution of phishing tactics, with threat actors employing increasingly elaborate methods to exploit trust in established brands and urgent calls to action. Users should exercise extreme caution when receiving unsolicited emails regarding travel plans.