Russian Hackers Create 4,300 Fake Travel Sites to Steal Hotel Guests' Payment Data
A sophisticated phishing campaign, potentially originating from Russian-speaking threat actors, has been identified targeting customers in the hospitality industry. Since the beginning of the year, over 4,300 fake travel websites have been created to steal hotel guests’ payment data. The campaign, active since approximately February 2024, focuses on tricking users into providing credit card information under the guise of confirming bookings.
The attackers are registering domains with names containing variations of Booking, Expedia, Agoda, and Airbnb to target users of these popular platforms. The phishing emails urge recipients to confirm their booking within 24 hours by clicking a link and entering their credit card information. Victims are redirected through a chain to fake sites with domain names using phrases like confirmation, booking, guestcheck, cardverify, or reservation to appear legitimate. The fake sites support 43 languages and prompt users to pay a deposit by entering card details. A unique identifier, AD_CODE, personalizes the content, displaying a specific hotel and platform based on the URL. Direct access without the AD_CODE results in a blank page.
Once the victim enters their card details, including the expiration date and CVV, the site attempts a background transaction while displaying a fake support chat window prompting a 3D Secure verification. While the identity of the threat group is unconfirmed, Russian language code comments suggest a Russian origin or an attempt to appeal to Russian-speaking customers of the phishing kit. This campaign highlights the growing threat of Phishing-as-a-Service (PhaaS), enabling less skilled attackers to conduct large-scale operations.
Notably, some indicators overlap with a previously reported campaign targeting hotel managers with malware such as PureRAT, suggesting a possible connection. This campaign also impersonated multiple brands, including Microsoft, Adobe, WeTransfer, FedEx, and DHL, to steal credentials using HTML attachments and Telegram bots for data exfiltration.
Security teams should monitor for suspicious domains containing travel-related keywords and educate users about phishing tactics, particularly concerning unsolicited booking confirmation requests. Implement robust email security measures to detect and block phishing emails, and closely monitor network traffic for unusual activity related to these domains. The use of multi-factor authentication and transaction monitoring can help mitigate the impact of stolen payment card details.