The Booking[.]com Phishing Campaign Targeting Hotels and Customers
Summary:
Since early January 2026, researchers at Bridewell have observed a resurgence in activity targeting the hotel and retail sectors through impersonation of Booking[.]com. The operation uses a three-stage infection chain: attackers first send phishing emails to hotel reservation inboxes, then steal partner credentials through a fake Booking[.]com partner portal, and finally conduct fraud against hotel customers using a separate phishing kit. The emails are highly automated, using generated Gmail addresses and IDN homograph domains that visually mimic Booking[.]com, often framed as urgent guest complaints to pressure service desk staff into clicking malicious links. Once hotel credentials are captured, the actors log into the legitimate platform to extract real booking data, which is later weaponized in highly convincing customer-facing lures, including WhatsApp messages containing accurate reservation details.
Security Officer Comments:
The phishing kit employed in the latest campaign uses Ajax-based frameworks, user fingerprinting, and traffic filtering to avoid security tools and researchers. If fingerprinting checks fail, victims are redirected to benign-looking hotel cleaning websites to reduce suspicion. The customer fraud phase reuses infrastructure and techniques previously associated with the “I Paid Twice” campaign reported by Sekoia, including Cloudflare-protected phishing pages and auto-populated booking data.
Bridewell is tracking this activity cluster as BR-UNC-030. Notably, the resurgence differs from earlier activity by introducing a dedicated partner phishing kit and expanded targeting of the retail/hospitality ecosystem, suggesting either an evolution by the same operators or a closely aligned threat group. Code comments containing Russian language strings hint at possible developer origin, but attribution remains moderate confidence.
Suggested Corrections:
https://www.bridewell.com/insights/...shing-campaign-targeting-hotels-and-customers
Since early January 2026, researchers at Bridewell have observed a resurgence in activity targeting the hotel and retail sectors through impersonation of Booking[.]com. The operation uses a three-stage infection chain: attackers first send phishing emails to hotel reservation inboxes, then steal partner credentials through a fake Booking[.]com partner portal, and finally conduct fraud against hotel customers using a separate phishing kit. The emails are highly automated, using generated Gmail addresses and IDN homograph domains that visually mimic Booking[.]com, often framed as urgent guest complaints to pressure service desk staff into clicking malicious links. Once hotel credentials are captured, the actors log into the legitimate platform to extract real booking data, which is later weaponized in highly convincing customer-facing lures, including WhatsApp messages containing accurate reservation details.
Security Officer Comments:
The phishing kit employed in the latest campaign uses Ajax-based frameworks, user fingerprinting, and traffic filtering to avoid security tools and researchers. If fingerprinting checks fail, victims are redirected to benign-looking hotel cleaning websites to reduce suspicion. The customer fraud phase reuses infrastructure and techniques previously associated with the “I Paid Twice” campaign reported by Sekoia, including Cloudflare-protected phishing pages and auto-populated booking data.
Bridewell is tracking this activity cluster as BR-UNC-030. Notably, the resurgence differs from earlier activity by introducing a dedicated partner phishing kit and expanded targeting of the retail/hospitality ecosystem, suggesting either an evolution by the same operators or a closely aligned threat group. Code comments containing Russian language strings hint at possible developer origin, but attribution remains moderate confidence.
Suggested Corrections:
- Enforce phishing-resistant MFA on Booking[.]com partner accounts (e.g., FIDO2/security keys) and disable legacy authentication to reduce credential-harvesting risk.
- Harden user awareness and service desk procedures, training hotel staff to verify guest complaints and Booking[.]com communications through trusted portals before clicking links.
- Monitor for suspicious partner logins and data access, including anomalous geolocation, bulk booking data exports, and unusual session behavior.
- Block and hunt for typosquatted and look-alike domains, including patterns such as “booklng,” excessive hyphenation, and domains registered within the last 30 days
https://www.bridewell.com/insights/...shing-campaign-targeting-hotels-and-customers