Booking.com Phishing Campaign Targeting Hotels and Customers
A sophisticated phishing campaign targets Booking. com hotel partners and their customers by compromising hotel administrators' systems with malware such as PureRAT. Attackers gain access to booking management accounts and use spear-phishing emails impersonating Booking. com to trick guests into paying twice for reservations. The campaign employs social engineering tactics, malicious sites, and a complex infrastructure involving compromised legitimate websites and bulletproof hosting. This operation is part of a broader cybercrime ecosystem offering specialized services to facilitate attacks on booking platforms. The threat impacts the confidentiality and financial integrity of hotel bookings and customer payments. European hospitality businesses relying on Booking. com, especially in countries with large tourism sectors, are at risk. Mitigation requires targeted security controls on hotel admin systems, user awareness training, and monitoring for unusual booking activities.
AI Analysis
Technical Summary
This threat involves a multi-faceted phishing campaign targeting Booking.com hotel partners and their customers. The attackers first compromise hotel administrators' systems using malware such as PureRAT, a remote access trojan that enables persistent access and credential theft. With control over booking management accounts, attackers send spear-phishing emails impersonating Booking.com to hotel guests, tricking them into making duplicate payments for reservations. The campaign leverages social engineering techniques including the use of ClickFix, malicious websites, and a sophisticated infrastructure that includes compromised legitimate websites and bulletproof hosting services to evade takedown and detection. The operation is embedded within a broader cybercrime ecosystem that provides specialized services to facilitate attacks on booking platforms, indicating a high level of organization and resource availability. The primary impacts are on the confidentiality of booking data and the financial integrity of transactions, potentially leading to financial losses for both hotels and customers. The campaign's complexity and use of advanced tactics highlight the need for comprehensive security measures. The threat is particularly relevant to European hospitality businesses that rely heavily on Booking.com, especially in countries with significant tourism industries.
Potential Impact
For European organizations, this campaign poses significant risks to both operational continuity and financial security within the hospitality sector. Compromise of hotel administrators' systems can lead to unauthorized access to sensitive booking data, exposing customer personal and payment information, which may result in data breaches and regulatory penalties under GDPR. Financial fraud through double payments undermines customer trust and can cause reputational damage to hotels and Booking.com partners. The disruption of booking management processes may also affect hotel operations and guest experience. Given the reliance on Booking.com in major European tourism markets, the campaign could have widespread effects, potentially impacting thousands of hotels and millions of customers. The financial losses and erosion of customer confidence could have longer-term economic consequences for the hospitality industry in Europe.
Mitigation Recommendations
To mitigate this threat, European hospitality organizations should implement targeted security controls focused on hotel administrative systems, including endpoint protection capable of detecting and removing malware like PureRAT. Multi-factor authentication (MFA) should be enforced for all booking management accounts to reduce the risk of credential misuse. Regular security awareness training tailored to hotel staff and administrators is critical to recognize spear-phishing attempts and social engineering tactics. Monitoring and anomaly detection systems should be deployed to identify unusual booking activities, such as duplicate payments or unexpected changes in reservation data. Hotels should also conduct regular audits of their IT infrastructure and network traffic to detect signs of compromise or unauthorized access. Collaboration with Booking.com to verify suspicious transactions and share threat intelligence can enhance response capabilities. Finally, maintaining updated incident response plans specific to phishing and malware incidents will improve preparedness and containment.
Affected Countries
France, Spain, Italy, Germany, United Kingdom, Netherlands, Portugal, Greece, Austria, Switzerland
Indicators of Compromise
- ip: 85.208.84.94
- domain: sqwqwasresbkng.com
- hash: 32108a830908f88f9949d6c0cbbaea2e
- hash: 51b0c87f9956b1c0a2a9288682cfdbae
- hash: 799e73863806df2964d80d12ce4e61ea
- hash: a3cc88c9d37b9007e5b6d3446bf9e1e4
- hash: d4845669f7f56c6c4eb82147a1f82615
- hash: 25f6e7cf30010425523d88c02b4cd147ee8eedf1
- hash: 6cad060b2934c422945c5d706b0701a42e02c145
- hash: c3eba229c847caa61117c3d0f84efaec7f33a2f7
- hash: e4885686dc64aeaae61eb67ca715ce4b7e07b670
- hash: 5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec
- hash: 64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3
- hash: 703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1
- hash: 9bab404584f6a0d9d82112d6e017cfa37d0094d97e510101d6a0132fd145dd32
- ip: 77.83.207.106
- url: http://77.83.207.106:56001
- url: http://85.208.84.94:56001
- url: http://activatecapagm.com/j8r3
- url: http://bkngpropadm.com/bomla
- url: http://bkngssercise.com/bomla
- url: http://bknqsercise.com/bomla
- url: http://bqknsieasrs.com/loggqibkng
- url: http://brownsugarcheesecakebar.com/ajm4
- url: http://byliljedahl.com/8anf
- url: http://byliljedahl.com/lv6q
- url: http://cabinetifc.com/upseisser.zip
- url: http://cardverify0006-booking.com/37858999
- url: http://confirmation8324-booking.com/17149438
- url: http://confirmation887-booking.com/17149438
- url: http://cquopymaiqna.com/bomla
- url: http://ctrlcapaserc.com/bomla
- url: http://ctrlcapaserc.com/loggqibkng
- url: http://customvanityco.com/izsb
- url: http://emprotel.net.bo/updserc.zip
- url: http://guest03442-booking.com/17149438
- url: http://hareandhosta.com/95xh
- url: http://headkickscountry.com/lz1y
- url: http://homelycareinc.com/po7r
- url: http://jamerimprovementsllc.com/ao9o
- url: http://seedsuccesspath.com/6m8a
- url: http://verifycard45625-expedia.com/67764524
- url: http://verifyguest02667-booking.com/17149438
- url: http://zenavuurwerkofficial.com/62is
- domain: activatecapagm.com
- domain: admin-extranet-reservationsexp.com
- domain: admin-extranet-reservationsinfos.com
- domain: admin-extranetadm-captcha.com
- domain: admin-extranetadmns-captcha.com
- domain: admin-extranetmngrxz-captcha.com
- domain: admin-extranetmnxz-captcha.com
- domain: admin-extranetrservq-cstmrq.com
- domain: aidaqosmaioa.com
- domain: api-notification-centeriones.com
- domain: bkngpropadm.com
- domain: bkngssercise.com
- domain: bknqsercise.com
- domain: booking-agreementaprilreviews042025.com
- domain: booking-agreementstatementapril0225.com
- domain: booking-agreementstatementapril0429.com
- domain: booking-aprilreviewstir-9650233.com
- domain: booking-confview-doc-00097503843.com
- domain: booking-confviewdocum-0079495902.com
- domain: booking-refguestitem-09064111.com
- domain: booking-reservationinfosid0251358.com
- domain: booking-reservationsdetail-id0025911.com
- domain: booking-reviewsguestpriv-10101960546.com
- domain: booking-viewdocdetails-0975031.com
- domain: booking-visitorviewdetails-64464043.com
- domain: bookingadmin-updateofmay2705.com
- domain: bookreservfadrwer-customer.com
- domain: bqknsieasrs.com
- domain: breserve-custommessagehelp.com
- domain: brownsugarcheesecakebar.com
- domain: byliljedahl.com
- domain: cabinetifc.com
- domain: cardverify0006-booking.com
- domain: caspqisoals.com
- domain: comsquery.com
- domain: confirmation8324-booking.com
- domain: confirmation887-booking.com
- domain: confirminfo-hotel20may05.com
- domain: confsvisitor-missing-items.com
- domain: confvisitor-doc.com
- domain: contmasqueis.com
- domain: cquopymaiqna.com
- domain: ctrlcapaserc.com
- domain: customvanityco.com
- domain: eiscoaqscm.com
- domain: emprotel.net.bo
- domain: extranet-admin-reservationssept.com
- domain: guest03442-booking.com
- domain: guestinfo-aboutstay1205.com
- domain: guesting-servicesid91202.com
- domain: hareandhosta.com
- domain: headkickscountry.com
- domain: homelycareinc.com
- domain: jamerimprovementsllc.com
- domain: mccp-logistics.com
- domain: mccplogma.com
- domain: reserv-captchaapril04152025.com
- domain: seedsuccesspath.com
- domain: update-info1676.com
- domain: update-infos616.com
- domain: verifycard45625-expedia.com
- domain: verifyguest02667-booking.com
- domain: whooamisercise.com
- domain: whooamisercisea.com
- domain: zenavuurwerkofficial.com
- domain: action.properties.company
- domain: destination.geo.country
Booking.com Phishing Campaign Targeting Hotels and Customers
Description
A sophisticated phishing campaign targets Booking. com hotel partners and their customers by compromising hotel administrators' systems with malware such as PureRAT. Attackers gain access to booking management accounts and use spear-phishing emails impersonating Booking. com to trick guests into paying twice for reservations. The campaign employs social engineering tactics, malicious sites, and a complex infrastructure involving compromised legitimate websites and bulletproof hosting. This operation is part of a broader cybercrime ecosystem offering specialized services to facilitate attacks on booking platforms. The threat impacts the confidentiality and financial integrity of hotel bookings and customer payments. European hospitality businesses relying on Booking. com, especially in countries with large tourism sectors, are at risk. Mitigation requires targeted security controls on hotel admin systems, user awareness training, and monitoring for unusual booking activities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a multi-faceted phishing campaign targeting Booking.com hotel partners and their customers. The attackers first compromise hotel administrators' systems using malware such as PureRAT, a remote access trojan that enables persistent access and credential theft. With control over booking management accounts, attackers send spear-phishing emails impersonating Booking.com to hotel guests, tricking them into making duplicate payments for reservations. The campaign leverages social engineering techniques including the use of ClickFix, malicious websites, and a sophisticated infrastructure that includes compromised legitimate websites and bulletproof hosting services to evade takedown and detection. The operation is embedded within a broader cybercrime ecosystem that provides specialized services to facilitate attacks on booking platforms, indicating a high level of organization and resource availability. The primary impacts are on the confidentiality of booking data and the financial integrity of transactions, potentially leading to financial losses for both hotels and customers. The campaign's complexity and use of advanced tactics highlight the need for comprehensive security measures. The threat is particularly relevant to European hospitality businesses that rely heavily on Booking.com, especially in countries with significant tourism industries.
Potential Impact
For European organizations, this campaign poses significant risks to both operational continuity and financial security within the hospitality sector. Compromise of hotel administrators' systems can lead to unauthorized access to sensitive booking data, exposing customer personal and payment information, which may result in data breaches and regulatory penalties under GDPR. Financial fraud through double payments undermines customer trust and can cause reputational damage to hotels and Booking.com partners. The disruption of booking management processes may also affect hotel operations and guest experience. Given the reliance on Booking.com in major European tourism markets, the campaign could have widespread effects, potentially impacting thousands of hotels and millions of customers. The financial losses and erosion of customer confidence could have longer-term economic consequences for the hospitality industry in Europe.
Mitigation Recommendations
To mitigate this threat, European hospitality organizations should implement targeted security controls focused on hotel administrative systems, including endpoint protection capable of detecting and removing malware like PureRAT. Multi-factor authentication (MFA) should be enforced for all booking management accounts to reduce the risk of credential misuse. Regular security awareness training tailored to hotel staff and administrators is critical to recognize spear-phishing attempts and social engineering tactics. Monitoring and anomaly detection systems should be deployed to identify unusual booking activities, such as duplicate payments or unexpected changes in reservation data. Hotels should also conduct regular audits of their IT infrastructure and network traffic to detect signs of compromise or unauthorized access. Collaboration with Booking.com to verify suspicious transactions and share threat intelligence can enhance response capabilities. Finally, maintaining updated incident response plans specific to phishing and malware incidents will improve preparedness and containment.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/"]
- Adversary
- null
- Pulse Id
- 690dba690d5c272baae78d78
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip85.208.84.94 | — | |
ip77.83.207.106 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainsqwqwasresbkng.com | — | |
domainactivatecapagm.com | — | |
domainadmin-extranet-reservationsexp.com | — | |
domainadmin-extranet-reservationsinfos.com | — | |
domainadmin-extranetadm-captcha.com | — | |
domainadmin-extranetadmns-captcha.com | — | |
domainadmin-extranetmngrxz-captcha.com | — | |
domainadmin-extranetmnxz-captcha.com | — | |
domainadmin-extranetrservq-cstmrq.com | — | |
domainaidaqosmaioa.com | — | |
domainapi-notification-centeriones.com | — | |
domainbkngpropadm.com | — | |
domainbkngssercise.com | — | |
domainbknqsercise.com | — | |
domainbooking-agreementaprilreviews042025.com | — | |
domainbooking-agreementstatementapril0225.com | — | |
domainbooking-agreementstatementapril0429.com | — | |
domainbooking-aprilreviewstir-9650233.com | — | |
domainbooking-confview-doc-00097503843.com | — | |
domainbooking-confviewdocum-0079495902.com | — | |
domainbooking-refguestitem-09064111.com | — | |
domainbooking-reservationinfosid0251358.com | — | |
domainbooking-reservationsdetail-id0025911.com | — | |
domainbooking-reviewsguestpriv-10101960546.com | — | |
domainbooking-viewdocdetails-0975031.com | — | |
domainbooking-visitorviewdetails-64464043.com | — | |
domainbookingadmin-updateofmay2705.com | — | |
domainbookreservfadrwer-customer.com | — | |
domainbqknsieasrs.com | — | |
domainbreserve-custommessagehelp.com | — | |
domainbrownsugarcheesecakebar.com | — | |
domainbyliljedahl.com | — | |
domaincabinetifc.com | — | |
domaincardverify0006-booking.com | — | |
domaincaspqisoals.com | — | |
domaincomsquery.com | — | |
domainconfirmation8324-booking.com | — | |
domainconfirmation887-booking.com | — | |
domainconfirminfo-hotel20may05.com | — | |
domainconfsvisitor-missing-items.com | — | |
domainconfvisitor-doc.com | — | |
domaincontmasqueis.com | — | |
domaincquopymaiqna.com | — | |
domainctrlcapaserc.com | — | |
domaincustomvanityco.com | — | |
domaineiscoaqscm.com | — | |
domainemprotel.net.bo | — | |
domainextranet-admin-reservationssept.com | — | |
domainguest03442-booking.com | — | |
domainguestinfo-aboutstay1205.com | — | |
domainguesting-servicesid91202.com | — | |
domainhareandhosta.com | — | |
domainheadkickscountry.com | — | |
domainhomelycareinc.com | — | |
domainjamerimprovementsllc.com | — | |
domainmccp-logistics.com | — | |
domainmccplogma.com | — | |
domainreserv-captchaapril04152025.com | — | |
domainseedsuccesspath.com | — | |
domainupdate-info1676.com | — | |
domainupdate-infos616.com | — | |
domainverifycard45625-expedia.com | — | |
domainverifyguest02667-booking.com | — | |
domainwhooamisercise.com | — | |
domainwhooamisercisea.com | — | |
domainzenavuurwerkofficial.com | — | |
domainaction.properties.company | — | |
domaindestination.geo.country | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash32108a830908f88f9949d6c0cbbaea2e | — | |
hash51b0c87f9956b1c0a2a9288682cfdbae | — | |
hash799e73863806df2964d80d12ce4e61ea | — | |
hasha3cc88c9d37b9007e5b6d3446bf9e1e4 | — | |
hashd4845669f7f56c6c4eb82147a1f82615 | — | |
hash25f6e7cf30010425523d88c02b4cd147ee8eedf1 | — | |
hash6cad060b2934c422945c5d706b0701a42e02c145 | — | |
hashc3eba229c847caa61117c3d0f84efaec7f33a2f7 | — | |
hashe4885686dc64aeaae61eb67ca715ce4b7e07b670 | — | |
hash5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec | — | |
hash64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3 | — | |
hash703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1 | — | |
hash9bab404584f6a0d9d82112d6e017cfa37d0094d97e510101d6a0132fd145dd32 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://77.83.207.106:56001 | — | |
urlhttp://85.208.84.94:56001 | — | |
urlhttp://activatecapagm.com/j8r3 | — | |
urlhttp://bkngpropadm.com/bomla | — | |
urlhttp://bkngssercise.com/bomla | — | |
urlhttp://bknqsercise.com/bomla | — | |
urlhttp://bqknsieasrs.com/loggqibkng | — | |
urlhttp://brownsugarcheesecakebar.com/ajm4 | — | |
urlhttp://byliljedahl.com/8anf | — | |
urlhttp://byliljedahl.com/lv6q | — | |
urlhttp://cabinetifc.com/upseisser.zip | — | |
urlhttp://cardverify0006-booking.com/37858999 | — | |
urlhttp://confirmation8324-booking.com/17149438 | — | |
urlhttp://confirmation887-booking.com/17149438 | — | |
urlhttp://cquopymaiqna.com/bomla | — | |
urlhttp://ctrlcapaserc.com/bomla | — | |
urlhttp://ctrlcapaserc.com/loggqibkng | — | |
urlhttp://customvanityco.com/izsb | — | |
urlhttp://emprotel.net.bo/updserc.zip | — | |
urlhttp://guest03442-booking.com/17149438 | — | |
urlhttp://hareandhosta.com/95xh | — | |
urlhttp://headkickscountry.com/lz1y | — | |
urlhttp://homelycareinc.com/po7r | — | |
urlhttp://jamerimprovementsllc.com/ao9o | — | |
urlhttp://seedsuccesspath.com/6m8a | — | |
urlhttp://verifycard45625-expedia.com/67764524 | — | |
urlhttp://verifyguest02667-booking.com/17149438 | — | |
urlhttp://zenavuurwerkofficial.com/62is | — |
Threat ID: 690dbd8a03ca3124669e0ec2
Added to database: 11/7/2025, 9:36:10 AM
Last enriched: 2/13/2026, 6:33:31 AM
Last updated: 3/25/2026, 1:17:45 AM
Views: 492
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.