Russian Travel Phishing Ring Used 4,300 Fake Hotel Booking Sites

In early 2025 a Russian-speaking adversary quietly launched an unprecedented phishing campaign that now relies on more than 4,300 fake hotel-booking and travel-reservation domains. The threat leverages familiar brands and travel-industry logos to trick hotel guests into entering their payment cards, then processes those details for fraud. This realistic spoof tactic signals a dangerous evolution in hospitality-sector cyber-fraud.

𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻 𝗦𝗰𝗼𝗽𝗲 𝗮𝗻𝗱 𝗢𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻

Security researchers at Netcraft identified the actor had registered 4,344 domains to date. Among them: 685 domains contain the brand “Booking,” 18 include “Expedia,” 13 “Agoda” and 12 “Airbnb.” The campaign kicked off around February and aimed broadly at hotel-guest bookings worldwide. The size and speed suggest a phishing-as-a-service (PhaaS) business model, enabling scale and rotation across thousands of domains.

𝗗𝗼𝗺𝗮𝗶𝗻 𝗚𝗮𝗺𝗲 𝗮𝗻𝗱 𝗕𝗿𝗮𝗻𝗱 𝗜𝗺𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝘁𝗶𝗼𝗻

The domains follow consistent patterns: terms like confirmation, booking, guestverify, cardverify, or reservation appear alongside major hotel-brand names. Many domains reference boutique hotels by name to enhance legitimacy. The TLDs span generic extensions such as .world, .help, .sale and regional variants. Beyond naming, the pages dynamically swap logos for Booking, Airbnb, Agoda and others depending on a unique URL string (AD_CODE). This enables the same infrastructure to impersonate multiple brands.

𝗟𝘂𝗿𝗲 𝗠𝗲𝘁𝗵𝗼𝗱𝘀

Victims receive fake “booking confirmation” emails that urge immediate card verification to avoid cancellation. The email links funnel through a redirection chain often via an aged domain or blog platform before arriving at the phishing site. The chain obscures detection and exploits trust in legitimate platforms. Once on the page, users face a fake CAPTCHA prompt, styled like Google / Cloudflare, intended to lower suspicion. Then the payment screen pops requesting full card details. The pages are available in 43 languages, expanding reach worldwide.

𝗣𝗮𝘆𝗺𝗲𝗻𝘁 𝗖𝗮𝗿𝗱 𝗗𝗮𝘁𝗮 𝗖𝗮𝗽𝘁𝘂𝗿𝗲 𝗮𝗻𝗱 𝗘𝘅𝗳𝗶𝗹𝘁𝗿𝗮𝘁𝗶𝗼𝗻

Once victims enter cardholder name, PAN, expiry and CVV, the script performs Luhn-validation before sending the data live to attacker infrastructure. Meanwhile a fake chat panel claims “3D Secure verification” while actual card penetration occurs in the background. Stolen cards likely feed into card-not-present fraud, resale on carding forums, and broader identity-theft campaigns.

𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗖𝗹𝘂𝗲𝘀 & 𝗧𝗧𝗣𝘀

For defenders, several trade-craft indicators stand out:

• Domain names include brands + phrases like “guestverify” or “cardverify”.

• Hosting through rotating registrars and high-volume registrations.

• URL parameter AD_CODE modifying the brand and landing page at runtime.

• Multi-language templates, phishing-kit reuse and uniform resource paths.

• Emails claiming “verify your booking” pointing to links with multiple redirects via blog or legacy domains.
  Mapping these to the MITRE ATT&CK framework: TA0001 (Initial Access via Phishing), TA0009 (Collection), T1585 (Domain Fronting) and T1566 (Phishing). These details help SOC teams and travel-industry firms tune detection.

𝗛𝗼𝘄 𝗛𝗼𝘁𝗲𝗹𝘀 𝗮𝗻𝗱 𝗕𝗿𝗮𝗻𝗱𝘀 𝗦𝗵𝗼𝘂𝗹𝗱 𝗥𝗲𝘀𝗽𝗼𝗻𝗱

Hotels and travel brands must treat this as more than a marketing nuisance it is a brand-abuse threat with direct financial implications. Recommended steps:

• Implement and monitor SPF/DKIM/DMARC for email channels.

• Maintain look-alike domain monitoring and takedown agreements with registrars.

• Train front-desk and customer-service teams to flag guest reports of suspicious “confirm your booking” communications.

• Share threat intelligence across fraud, security & guest‐services functions.
  [Internal link: insert your blog post on brand-abuse monitoring here]

𝗧𝗿𝗮𝘃𝗲𝗹𝗲𝗿 𝗮𝗻𝗱 𝗘𝗻𝘁𝗲𝗿𝗽𝗿𝗶𝘀𝗲 𝗗𝗲𝗳𝗲𝗻𝘀𝗲

For travellers and enterprise security teams supporting corporate travel:

• Always access booking confirmations via trusted apps or official portals not through email links.

• If asked to re-enter card data, use limited-use virtual cards or cards with tight spending caps.

• Apply email filtering and sandboxing to block mass travel-themed campaigns.

• Conduct user awareness sessions using real-world examples like this campaign.

This campaign demonstrates how phishing has evolved into a fully industrialised operation with more than 4,300 domains, multi-language capability, brand impersonation and real‐time payment-card theft at scale. For the hospitality industry and guests alike, it underscores that trust in travel brands must be matched by layered cyber-defence and awareness.

𝗙𝗔𝗤𝗦

How can hotel guests verify if a booking email is legitimate?
Guests should always check their reservation through an official channel such as the hotel’s verified app or website. They should avoid clicking email links and instead access their reservation via known URLs or saved bookmarks.

What should someone do after entering card details on a fake hotel booking website?
They should immediately contact their card issuer, request a block, and monitor for unauthorized transactions. They should also reset any reused passwords and consider a fraud alert depending on exposure.

How can hotels detect fake domains impersonating their brand?
Hotels can monitor for look-alike domains, track unusual domain registrations that include their brand name, and set up alerting with brand-protection services. Regular reporting pipelines with registrars accelerate takedowns.

Why do attackers target travel and hospitality phishing campaigns so often?
Travel bookings involve time pressure, card payments and strong trust in brand names. Attackers exploit these emotional triggers, making travel phishing highly effective and financially rewarding.

How can corporate security teams reduce exposure to travel-themed phishing?
They can strengthen email filtering, train users with realistic travel-phishing scenarios, enforce URL-rewriting inspection, and encourage booking confirmation only via trusted apps instead of email links.