Booking.com Phishing Campaign Targeting Hotels and Customers

Nov. 7, 2025, 11 a.m.

Description

A sophisticated phishing campaign is targeting the hospitality industry, specifically Booking.com partners and their customers. The attackers first compromise hotel administrators' systems using malware like PureRAT, gaining access to booking management accounts. They then use this access to conduct fraudulent schemes against hotel guests, tricking them into paying twice for their reservations. The campaign employs spear-phishing emails impersonating Booking.com, redirecting victims to malicious sites using the ClickFix social engineering tactic. The attackers leverage a complex infrastructure including compromised legitimate websites, traffic distribution systems, and bulletproof hosting. This operation is part of a broader cybercrime ecosystem targeting booking platforms, with various specialized services being offered on underground forums to facilitate these attacks.

External References

https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/
https://otx.alienvault.com/pulse/690dba690d5c272baae78d78
Tags
phishing
social engineering
cybercrime
clickfix
hospitality
booking.com
purerat
2025-11-07

Date

  • Created: Nov. 7, 2025, 9:22 a.m.
  • Published: Nov. 7, 2025, 9:22 a.m.
  • Modified: Nov. 7, 2025, 11 a.m.

Indicators

  • 9bab404584f6a0d9d82112d6e017cfa37d0094d97e510101d6a0132fd145dd32
  • 703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1
  • 64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3
  • 5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec
  • 77.83.207.106
  • 85.208.84.94
  • http://zenavuurwerkofficial.com/62is
  • http://verifyguest02667-booking.com/17149438
  • http://verifycard45625-expedia.com/67764524
  • http://seedsuccesspath.com/6m8a
  • http://jamerimprovementsllc.com/ao9o
  • http://homelycareinc.com/po7r
  • http://headkickscountry.com/lz1y
  • http://hareandhosta.com/95xh
  • http://guest03442-booking.com/17149438
  • http://emprotel.net.bo/updserc.zip
  • http://customvanityco.com/izsb
  • http://ctrlcapaserc.com/loggqibkng
  • http://ctrlcapaserc.com/bomla
  • http://cquopymaiqna.com/bomla
  • http://confirmation887-booking.com/17149438
  • http://confirmation8324-booking.com/17149438
  • http://cardverify0006-booking.com/37858999
  • http://cabinetifc.com/upseisser.zip
  • http://byliljedahl.com/lv6q
  • http://byliljedahl.com/8anf
  • http://brownsugarcheesecakebar.com/ajm4
  • http://bqknsieasrs.com/loggqibkng
  • http://bknqsercise.com/bomla
  • http://bkngssercise.com/bomla
  • http://bkngpropadm.com/bomla
  • http://activatecapagm.com/j8r3
  • http://85.208.84.94:56001
  • http://77.83.207.106:56001
  • zenavuurwerkofficial.com
  • whooamisercisea.com
  • whooamisercise.com
  • verifyguest02667-booking.com
  • verifycard45625-expedia.com
  • update-infos616.com
  • update-info1676.com
  • seedsuccesspath.com
  • reserv-captchaapril04152025.com
  • mccplogma.com
  • mccp-logistics.com
  • jamerimprovementsllc.com
  • hareandhosta.com
  • homelycareinc.com
  • headkickscountry.com
  • guesting-servicesid91202.com
  • guestinfo-aboutstay1205.com
  • guest03442-booking.com
  • extranet-admin-reservationssept.com
  • eiscoaqscm.com
  • customvanityco.com
  • ctrlcapaserc.com
  • cquopymaiqna.com
  • contmasqueis.com
  • confsvisitor-missing-items.com
  • confvisitor-doc.com
  • confirminfo-hotel20may05.com
  • confirmation887-booking.com
  • confirmation8324-booking.com
  • comsquery.com
  • caspqisoals.com
  • cardverify0006-booking.com
  • cabinetifc.com
  • byliljedahl.com
  • brownsugarcheesecakebar.com
  • breserve-custommessagehelp.com
  • bqknsieasrs.com
  • bookingadmin-updateofmay2705.com
  • bookreservfadrwer-customer.com
  • booking-visitorviewdetails-64464043.com
  • booking-viewdocdetails-0975031.com
  • booking-reviewsguestpriv-10101960546.com
  • booking-reservationsdetail-id0025911.com
  • booking-refguestitem-09064111.com
  • booking-reservationinfosid0251358.com
  • booking-confviewdocum-0079495902.com
  • booking-confview-doc-00097503843.com
  • booking-agreementstatementapril0429.com
  • booking-aprilreviewstir-9650233.com
  • booking-agreementstatementapril0225.com
  • booking-agreementaprilreviews042025.com
  • bknqsercise.com
  • api-notification-centeriones.com
  • bkngssercise.com
  • aidaqosmaioa.com
  • admin-extranetrservq-cstmrq.com
  • admin-extranetmnxz-captcha.com
  • admin-extranetmngrxz-captcha.com
  • admin-extranetadmns-captcha.com
  • admin-extranetadm-captcha.com
  • admin-extranet-reservationsinfos.com
  • admin-extranet-reservationsexp.com
  • activatecapagm.com
  • sqwqwasresbkng.com
  • emprotel.net.bo
  • bkngpropadm.com
Download all indicators here!

Attack Patterns

  • ClickFix
  • PureRAT

Additional Informations

  • Hospitality
  • destination.geo.country
  • action.properties.company