A new Booking.com‑themed phishing campaign is abusing trust in travel brands to steal money and sensitive data from both hotels and guests.
The scheme can start as a service message, but it can end with payment fraud and card exposure.
Early lures are sent to hotel reservation or support mailboxes and push staff to click a link about a “complaint” or room query.
The link looks legitimate in the email body, yet it sends the browser to attacker‑controlled pages designed to capture logins.
Bridewell researchers identified this operation as a renewed, financially motivated which was observed since early January 2026.
While they done so using two distinct phishing kits and a three‑stage chain: first payload delivery to a Booking.com partner, then credential theft from staff, and finally customer‑focused fraud that leverages stolen booking details.
Infection Chain 1 – Stage 1 – Phishing Emails (Source – Bridewell)
This infection chain illustrates the initial email stage used to pull hotel users into the chain.
Multi-stage fraud chain
In the partner phase, the campaign uses look‑alike domains and redirects, including an IDN homograph trick that swaps a Cyrillic character into “booking,” and URLs that commonly include a “complaint?optoken=” style parameter.
Once victims land on the fake portal, credentials are harvested and later used to access real Booking.com partner accounts.
Bridewell noted that the partner phishing kit also adds defense evasion: the hosting infrastructure fingerprints visitors and, when checks fail, shows benign decoy “hotel cleaning” websites instead of the phishing page.
When checks pass, victims are redirected to a fake partner sign‑in hosted on a “bookling” subdomain and tokenized sign‑in paths.
Whatsapp message from a different account (Source – Bridewell)
After account takeover, attackers pivot to guests, sending convincing WhatsApp messages with accurate booking details and urgency, and routing victims through a Cloudflare CAPTCHA to a Booking.com look‑alike payment page.
Cloudflare Captcha Page (Source – Bridewell)
Hotels should enforce MFA on partner accounts, restrict access to booking portals, and treat unexpected “complaint” links as high risk, even when they appear to come from known brands.
Logging and alerting on new sign‑ins, password resets, and unusual outbound redirects can help catch the takeover before guests are targeted. They should also review email filters, block new look‑alike domains, and report abuse to registrars.
Customers should not pay through links received in chat apps, and should confirm issues using the official app or a verified hotel contact method.
If details were entered on a suspicious page, change passwords, contact the bank, and ask the hotel to verify whether the Booking.com account was accessed.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New Phishing Campaign Targets Booking.com Partners and Customers in Multi-Stage Financial Fraud Scheme appeared first on Cyber Security News.
