The Russian-speaking threat behind an ongoing massive phishing campaign has resulted in over 4,300 domain names being registered since the beginning of the year.
According to Andrew Brandt, a security researcher at Netcraft, this activity is designed to target customers in the hospitality industry, particularly hotel guests who may have made travel reservations through spam emails. The campaign is said to begin in earnest around February 2025.
Of the 4,344 domains associated with this attack, 685 domains contained the name “Booking,” followed by “Expedia” with 18, “Agoda” with 13, and “Airbnb” with 12, indicating an attempt to target all popular booking and rental platforms.
“The ongoing campaign uses a sophisticated phishing kit that customizes the page a site visitor sees depending on a unique string in the URL path when the target first visits the website,” Brandt said. “Customizations feature logos from major online travel industry brands such as Airbnb and Booking.com.”
The attack begins with a phishing email that prompts recipients to click a link and confirm their reservation using a credit card within 24 hours. If taken as a bait, the victim will be directed to a fake site instead after a series of redirects are initiated. These fake sites follow a consistent naming pattern for their domains and feature phrases such as Verify, Book, Guest Check, Card Verify, and Reserve to give the illusion of legitimacy.
These pages support 43 different languages, giving attackers a wide net. This page instructs victims to enter their card information to pay a deposit for a hotel reservation. If a user tries to access the page directly without the AD_CODE unique identifier, a blank page will be displayed. The fake site also includes a fake CAPTCHA check that mimics Cloudflare to fool its targets.
“After the first visit, the AD_CODE value is written to the cookie so that subsequent pages will see the same disguised branding each time the site visitor clicks on the page,” Netcraft said. This also means that changing the “AD_CODE” value in a URL will result in a page targeting a different hotel on the same booking platform.
As soon as the card details and expiration data and CVV number are entered, the page attempts to process the transaction in the background, but a “Support Chat” window appears on the screen with instructions to complete the “3D Secure Verification of Credit Card” to protect against fake bookings.
The identity of the threat group behind this campaign remains unknown, but the use of Russian in source code comments and debugger output is either an allusion to its origin or an attempt to cater to potential phishing kit customers looking to customize it to their needs.
The disclosure comes just days after Sekoia warned of a large-scale phishing campaign targeting the hospitality industry that redirects hotel managers to ClickFix-style pages, deploys PureRAT-like malware to collect credentials, and approaches hotel customers via WhatsApp or email with reservation details, then confirms the reservation by clicking on a link.
Interestingly, one of the indicators shared by the French cybersecurity firm, guestverifiy5313-booking(.)com/67122859, matches domain patterns registered by threat actors (e.g. verifyguets71561-booking(.)com), raising the possibility that these two activity clusters are related. Hacker News has reached out to Netcraft for comment and will update the article if we hear back.
Recent weeks have also seen large-scale phishing campaigns impersonating multiple brands including Microsoft, Adobe, WeTransfer, FedEx, and DHL to steal credentials by distributing HTML attachments via email. Once the embedded HTML file is launched, a fake login page is displayed, and the JavaScript code captures the credentials entered by the victim and sends them directly to an attacker-controlled Telegram bot, Cyble said.
The campaign primarily targets a wide range of organizations in Central and Eastern Europe, specifically the Czech Republic, Slovakia, Hungary, and Germany.
The company pointed out that “attackers are distributing phishing emails posing as legitimate customers or business partners and requesting confirmation of estimates and invoices.” “This regional focus is evident through targeted recipient domains belonging to local businesses, distributors, government entities, and hospitality companies that handle RFQs and supplier communications on a daily basis.”
Phishing kits were also used in a large-scale campaign targeting customers of Aruba SpA, one of Italy’s largest web hosting and IT service providers, with similar attempts to steal sensitive data and payment information.
Group-IB researchers Ivan Salipur and Federico Marazzi said the phishing kit is a “fully automated, multi-stage platform designed for efficiency and stealth.” “We use CAPTCHA filtering to evade security scans, pre-populate victim data to increase trust, and use Telegram bots to extract stolen credentials and payment information. All features serve one goal: industrial-scale credential theft.”
These findings exemplify the growing demand for phishing-as-a-service (PhaaS) services in the underground economy, allowing attackers with little or no technical expertise to carry out large-scale attacks.
“The automation observed with this particular kit exemplifies how phishing is becoming codified, making it faster to deploy, harder to detect, and easier to replicate,” the Singapore company added. “What once required technical expertise can now be done at scale through pre-built, automated frameworks.”
