A large phishing campaign has been targeting travelers worldwide, using more than 4,300 fake domains to steal payment card information.
The operation focuses on people planning vacations or about to check into hotels by sending fake booking confirmation emails that appear to come from trusted travel companies.
The attackers have created a network of websites that look like real hotel reservation pages, complete with familiar logos and professional layouts, making them difficult to spot as scams.
The campaign uses a well-built phishing kit that adapts on links sent to victims via email. When someone clicks on a link in the fake email, their browser gets redirected through several websites before landing on the phishing page.
The emails claim that a hotel reservation must be confirmed within 24 hours to avoid cancellation, creating a sense of urgency that pushes victims to act quickly without carefully checking the details.
The fake pages mimic major travel brands, including Airbnb, Booking.com, Expedia, and Agoda, using their logos and design elements to appear legitimate.
The phishing pages (Source – Netcraft)
Netcraft security researchers identified that the threat actor behind this campaign is Russian-speaking, based on extensive Russian language comments found throughout the phishing kit’s source code.
The operation began in February 2025 and has steadily grown, with the attacker registering new domains almost daily. One notable spike occurred on March 20, 2025, when 511 domains were registered in a single day.
The domains follow consistent patterns with phrases like “confirmation,” “booking,” “guestverify,” “cardverify,” or “reservation” appearing in their names, often combined with random numbers.
The attacker primarily uses four domain registrars: WebNIC, Public Domain Registry, Atak Domain Bilgi Teknolojileri A.S., and MAT BAO Corporation.
Several hundred domains even reference specific luxury and boutique hotels from around the world, making the scam appear more targeted and convincing to potential victims.
Redirection Chain and Infection Mechanism
The phishing attack relies on a complex redirection system that makes it harder to trace and block.
When victims click the “Confirm Booking” button in the fake email, they don’t go directly to the phishing site.
Instead, the link first sends them to an old, unused website domain that was originally registered in 2016 for a movie promotion. That site then redirects to a page on Blogspot, Google’s free blogging platform, which finally redirects to the actual phishing page.
This multi-step redirection chain serves several purposes. It helps the attackers avoid detection by security systems that might flag direct links to malicious sites.
Using legitimate platforms like Blogspot adds a layer of trust since the intermediate URL appears on a well-known service. The chain also makes it harder for security researchers to track down the final destination and shut down the operation.
Many real hotels have been impersonated by the attackers (Source – Netcraft)
Once victims reach the phishing page, they see what appears to be a legitimate hotel booking confirmation form.
The page displays a fake Cloudflare CAPTCHA that doesn’t actually function but uses Cloudflare branding to build false confidence.
After passing this fake security check, victims are asked to enter their payment card details including the cardholder name, card number, CVV code, and expiration date.
The page performs Luhn validation to check if the card number format is correct before attempting to process a fraudulent transaction in the background.
While this happens, a fake support chat window appears with automated messages telling victims to confirm SMS notifications from their bank, which are actually the real fraud alerts triggered by the unauthorized charges the attackers are attempting.
The phishing kit includes sophisticated features like support for 43 different languages and real-time polling that sends user keystrokes back to the attacker’s server approximately once per second.
The pages use a unique identifier called an “AD_CODE” in the URL that determines which travel brand to impersonate, with different codes producing different branding on the same domain.
This allows the attackers to run multiple campaigns simultaneously using the same infrastructure, targeting different brands and hotels with customized pages for each victim.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Massive Phishing Attack Impersonate as Travel Brands Attacking Users with 4,300 Malicious Domains appeared first on Cyber Security News.
