Booking.com Phishing Campaign Targeting Hotels and Customers
A sophisticated phishing campaign targets Booking. com hotel partners and their customers by compromising hotel administrators' systems with malware such as PureRAT. Attackers gain access to booking management accounts and trick guests into paying twice for reservations via spear-phishing emails impersonating Booking. com. The campaign uses complex infrastructure including compromised legitimate websites and bulletproof hosting to evade detection. This operation is part of a broader cybercrime ecosystem offering specialized services to facilitate attacks on booking platforms. The threat poses risks to confidentiality and financial integrity, primarily affecting the hospitality sector. European hotels using Booking. com are at risk of financial fraud and reputational damage. Mitigations include enhanced endpoint security, phishing awareness training, multi-factor authentication, and monitoring for unusual booking activities.
AI Analysis
Technical Summary
This phishing campaign targets the hospitality industry, specifically Booking.com partners and their customers. Attackers begin by deploying malware like PureRAT on hotel administrators' systems, enabling them to gain unauthorized access to booking management accounts. With this access, they conduct fraudulent schemes that trick hotel guests into paying twice for their reservations. The campaign uses spear-phishing emails crafted to impersonate Booking.com, employing the ClickFix social engineering tactic to redirect victims to malicious websites. The attackers operate a sophisticated infrastructure that includes compromised legitimate websites, traffic distribution systems, and bulletproof hosting services to maintain persistence and evade detection. This campaign is part of a larger cybercrime ecosystem that offers specialized services on underground forums, facilitating attacks on booking platforms. The malware and phishing techniques leverage multiple MITRE ATT&CK tactics such as credential access, persistence, command and control, and data exfiltration. The absence of known exploits in the wild suggests the campaign relies heavily on social engineering and initial malware infection vectors. The threat primarily impacts the confidentiality and financial integrity of hotel booking systems and customers, potentially causing financial loss and reputational damage to affected organizations.
Potential Impact
For European organizations, particularly those in the hospitality sector using Booking.com, this threat can lead to significant financial losses due to fraudulent double payments by customers. Compromise of hotel administrators' systems undermines the confidentiality and integrity of booking data, potentially exposing sensitive customer information and payment details. The reputational damage to hotels and Booking.com partners can reduce customer trust and future bookings. Operational disruptions may occur if malware infections lead to system instability or if hotels need to suspend booking management systems during incident response. Given the reliance on online booking platforms in Europe’s tourism-dependent economies, the campaign could have widespread economic impacts. Additionally, the use of bulletproof hosting and complex infrastructure complicates detection and mitigation efforts, increasing the risk of prolonged exposure. European data protection regulations such as GDPR impose additional legal and financial risks if customer data is compromised.
Mitigation Recommendations
European hospitality organizations should implement multi-layered security controls beyond generic advice. Specifically, deploy advanced endpoint detection and response (EDR) solutions to detect and block malware like PureRAT. Enforce strict multi-factor authentication (MFA) on all booking management accounts to reduce the risk of credential compromise. Conduct targeted phishing awareness training for hotel administrators and staff, emphasizing recognition of spear-phishing and social engineering tactics such as ClickFix. Monitor booking systems for anomalies such as duplicate payments or unusual access patterns using behavioral analytics. Regularly audit and patch all systems, including third-party booking platforms and associated infrastructure. Establish incident response plans tailored to phishing and malware infections, including rapid containment and forensic analysis. Collaborate with Booking.com to share threat intelligence and coordinate response efforts. Finally, restrict outbound network traffic to known legitimate destinations to limit command and control communications.
Affected Countries
Spain, Italy, France, Germany, United Kingdom, Netherlands, Portugal, Greece, Austria
Indicators of Compromise
- ip: 85.208.84.94
- domain: sqwqwasresbkng.com
- hash: 32108a830908f88f9949d6c0cbbaea2e
- hash: 51b0c87f9956b1c0a2a9288682cfdbae
- hash: 799e73863806df2964d80d12ce4e61ea
- hash: a3cc88c9d37b9007e5b6d3446bf9e1e4
- hash: d4845669f7f56c6c4eb82147a1f82615
- hash: 25f6e7cf30010425523d88c02b4cd147ee8eedf1
- hash: 6cad060b2934c422945c5d706b0701a42e02c145
- hash: c3eba229c847caa61117c3d0f84efaec7f33a2f7
- hash: e4885686dc64aeaae61eb67ca715ce4b7e07b670
- hash: 5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec
- hash: 64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3
- hash: 703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1
- hash: 9bab404584f6a0d9d82112d6e017cfa37d0094d97e510101d6a0132fd145dd32
- ip: 77.83.207.106
- url: http://77.83.207.106:56001
- url: http://85.208.84.94:56001
- url: http://activatecapagm.com/j8r3
- url: http://bkngpropadm.com/bomla
- url: http://bkngssercise.com/bomla
- url: http://bknqsercise.com/bomla
- url: http://bqknsieasrs.com/loggqibkng
- url: http://brownsugarcheesecakebar.com/ajm4
- url: http://byliljedahl.com/8anf
- url: http://byliljedahl.com/lv6q
- url: http://cabinetifc.com/upseisser.zip
- url: http://cardverify0006-booking.com/37858999
- url: http://confirmation8324-booking.com/17149438
- url: http://confirmation887-booking.com/17149438
- url: http://cquopymaiqna.com/bomla
- url: http://ctrlcapaserc.com/bomla
- url: http://ctrlcapaserc.com/loggqibkng
- url: http://customvanityco.com/izsb
- url: http://emprotel.net.bo/updserc.zip
- url: http://guest03442-booking.com/17149438
- url: http://hareandhosta.com/95xh
- url: http://headkickscountry.com/lz1y
- url: http://homelycareinc.com/po7r
- url: http://jamerimprovementsllc.com/ao9o
- url: http://seedsuccesspath.com/6m8a
- url: http://verifycard45625-expedia.com/67764524
- url: http://verifyguest02667-booking.com/17149438
- url: http://zenavuurwerkofficial.com/62is
- domain: activatecapagm.com
- domain: admin-extranet-reservationsexp.com
- domain: admin-extranet-reservationsinfos.com
- domain: admin-extranetadm-captcha.com
- domain: admin-extranetadmns-captcha.com
- domain: admin-extranetmngrxz-captcha.com
- domain: admin-extranetmnxz-captcha.com
- domain: admin-extranetrservq-cstmrq.com
- domain: aidaqosmaioa.com
- domain: api-notification-centeriones.com
- domain: bkngpropadm.com
- domain: bkngssercise.com
- domain: bknqsercise.com
- domain: booking-agreementaprilreviews042025.com
- domain: booking-agreementstatementapril0225.com
- domain: booking-agreementstatementapril0429.com
- domain: booking-aprilreviewstir-9650233.com
- domain: booking-confview-doc-00097503843.com
- domain: booking-confviewdocum-0079495902.com
- domain: booking-refguestitem-09064111.com
- domain: booking-reservationinfosid0251358.com
- domain: booking-reservationsdetail-id0025911.com
- domain: booking-reviewsguestpriv-10101960546.com
- domain: booking-viewdocdetails-0975031.com
- domain: booking-visitorviewdetails-64464043.com
- domain: bookingadmin-updateofmay2705.com
- domain: bookreservfadrwer-customer.com
- domain: bqknsieasrs.com
- domain: breserve-custommessagehelp.com
- domain: brownsugarcheesecakebar.com
- domain: byliljedahl.com
- domain: cabinetifc.com
- domain: cardverify0006-booking.com
- domain: caspqisoals.com
- domain: comsquery.com
- domain: confirmation8324-booking.com
- domain: confirmation887-booking.com
- domain: confirminfo-hotel20may05.com
- domain: confsvisitor-missing-items.com
- domain: confvisitor-doc.com
- domain: contmasqueis.com
- domain: cquopymaiqna.com
- domain: ctrlcapaserc.com
- domain: customvanityco.com
- domain: eiscoaqscm.com
- domain: emprotel.net.bo
- domain: extranet-admin-reservationssept.com
- domain: guest03442-booking.com
- domain: guestinfo-aboutstay1205.com
- domain: guesting-servicesid91202.com
- domain: hareandhosta.com
- domain: headkickscountry.com
- domain: homelycareinc.com
- domain: jamerimprovementsllc.com
- domain: mccp-logistics.com
- domain: mccplogma.com
- domain: reserv-captchaapril04152025.com
- domain: seedsuccesspath.com
- domain: update-info1676.com
- domain: update-infos616.com
- domain: verifycard45625-expedia.com
- domain: verifyguest02667-booking.com
- domain: whooamisercise.com
- domain: whooamisercisea.com
- domain: zenavuurwerkofficial.com
- domain: action.properties.company
- domain: destination.geo.country
Booking.com Phishing Campaign Targeting Hotels and Customers
Description
A sophisticated phishing campaign targets Booking. com hotel partners and their customers by compromising hotel administrators' systems with malware such as PureRAT. Attackers gain access to booking management accounts and trick guests into paying twice for reservations via spear-phishing emails impersonating Booking. com. The campaign uses complex infrastructure including compromised legitimate websites and bulletproof hosting to evade detection. This operation is part of a broader cybercrime ecosystem offering specialized services to facilitate attacks on booking platforms. The threat poses risks to confidentiality and financial integrity, primarily affecting the hospitality sector. European hotels using Booking. com are at risk of financial fraud and reputational damage. Mitigations include enhanced endpoint security, phishing awareness training, multi-factor authentication, and monitoring for unusual booking activities.
AI-Powered Analysis
Technical Analysis
This phishing campaign targets the hospitality industry, specifically Booking.com partners and their customers. Attackers begin by deploying malware like PureRAT on hotel administrators' systems, enabling them to gain unauthorized access to booking management accounts. With this access, they conduct fraudulent schemes that trick hotel guests into paying twice for their reservations. The campaign uses spear-phishing emails crafted to impersonate Booking.com, employing the ClickFix social engineering tactic to redirect victims to malicious websites. The attackers operate a sophisticated infrastructure that includes compromised legitimate websites, traffic distribution systems, and bulletproof hosting services to maintain persistence and evade detection. This campaign is part of a larger cybercrime ecosystem that offers specialized services on underground forums, facilitating attacks on booking platforms. The malware and phishing techniques leverage multiple MITRE ATT&CK tactics such as credential access, persistence, command and control, and data exfiltration. The absence of known exploits in the wild suggests the campaign relies heavily on social engineering and initial malware infection vectors. The threat primarily impacts the confidentiality and financial integrity of hotel booking systems and customers, potentially causing financial loss and reputational damage to affected organizations.
Potential Impact
For European organizations, particularly those in the hospitality sector using Booking.com, this threat can lead to significant financial losses due to fraudulent double payments by customers. Compromise of hotel administrators' systems undermines the confidentiality and integrity of booking data, potentially exposing sensitive customer information and payment details. The reputational damage to hotels and Booking.com partners can reduce customer trust and future bookings. Operational disruptions may occur if malware infections lead to system instability or if hotels need to suspend booking management systems during incident response. Given the reliance on online booking platforms in Europe’s tourism-dependent economies, the campaign could have widespread economic impacts. Additionally, the use of bulletproof hosting and complex infrastructure complicates detection and mitigation efforts, increasing the risk of prolonged exposure. European data protection regulations such as GDPR impose additional legal and financial risks if customer data is compromised.
Mitigation Recommendations
European hospitality organizations should implement multi-layered security controls beyond generic advice. Specifically, deploy advanced endpoint detection and response (EDR) solutions to detect and block malware like PureRAT. Enforce strict multi-factor authentication (MFA) on all booking management accounts to reduce the risk of credential compromise. Conduct targeted phishing awareness training for hotel administrators and staff, emphasizing recognition of spear-phishing and social engineering tactics such as ClickFix. Monitor booking systems for anomalies such as duplicate payments or unusual access patterns using behavioral analytics. Regularly audit and patch all systems, including third-party booking platforms and associated infrastructure. Establish incident response plans tailored to phishing and malware infections, including rapid containment and forensic analysis. Collaborate with Booking.com to share threat intelligence and coordinate response efforts. Finally, restrict outbound network traffic to known legitimate destinations to limit command and control communications.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/"]
- Adversary
- null
- Pulse Id
- 690dba690d5c272baae78d78
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip85.208.84.94 | — | |
ip77.83.207.106 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainsqwqwasresbkng.com | — | |
domainactivatecapagm.com | — | |
domainadmin-extranet-reservationsexp.com | — | |
domainadmin-extranet-reservationsinfos.com | — | |
domainadmin-extranetadm-captcha.com | — | |
domainadmin-extranetadmns-captcha.com | — | |
domainadmin-extranetmngrxz-captcha.com | — | |
domainadmin-extranetmnxz-captcha.com | — | |
domainadmin-extranetrservq-cstmrq.com | — | |
domainaidaqosmaioa.com | — | |
domainapi-notification-centeriones.com | — | |
domainbkngpropadm.com | — | |
domainbkngssercise.com | — | |
domainbknqsercise.com | — | |
domainbooking-agreementaprilreviews042025.com | — | |
domainbooking-agreementstatementapril0225.com | — | |
domainbooking-agreementstatementapril0429.com | — | |
domainbooking-aprilreviewstir-9650233.com | — | |
domainbooking-confview-doc-00097503843.com | — | |
domainbooking-confviewdocum-0079495902.com | — | |
domainbooking-refguestitem-09064111.com | — | |
domainbooking-reservationinfosid0251358.com | — | |
domainbooking-reservationsdetail-id0025911.com | — | |
domainbooking-reviewsguestpriv-10101960546.com | — | |
domainbooking-viewdocdetails-0975031.com | — | |
domainbooking-visitorviewdetails-64464043.com | — | |
domainbookingadmin-updateofmay2705.com | — | |
domainbookreservfadrwer-customer.com | — | |
domainbqknsieasrs.com | — | |
domainbreserve-custommessagehelp.com | — | |
domainbrownsugarcheesecakebar.com | — | |
domainbyliljedahl.com | — | |
domaincabinetifc.com | — | |
domaincardverify0006-booking.com | — | |
domaincaspqisoals.com | — | |
domaincomsquery.com | — | |
domainconfirmation8324-booking.com | — | |
domainconfirmation887-booking.com | — | |
domainconfirminfo-hotel20may05.com | — | |
domainconfsvisitor-missing-items.com | — | |
domainconfvisitor-doc.com | — | |
domaincontmasqueis.com | — | |
domaincquopymaiqna.com | — | |
domainctrlcapaserc.com | — | |
domaincustomvanityco.com | — | |
domaineiscoaqscm.com | — | |
domainemprotel.net.bo | — | |
domainextranet-admin-reservationssept.com | — | |
domainguest03442-booking.com | — | |
domainguestinfo-aboutstay1205.com | — | |
domainguesting-servicesid91202.com | — | |
domainhareandhosta.com | — | |
domainheadkickscountry.com | — | |
domainhomelycareinc.com | — | |
domainjamerimprovementsllc.com | — | |
domainmccp-logistics.com | — | |
domainmccplogma.com | — | |
domainreserv-captchaapril04152025.com | — | |
domainseedsuccesspath.com | — | |
domainupdate-info1676.com | — | |
domainupdate-infos616.com | — | |
domainverifycard45625-expedia.com | — | |
domainverifyguest02667-booking.com | — | |
domainwhooamisercise.com | — | |
domainwhooamisercisea.com | — | |
domainzenavuurwerkofficial.com | — | |
domainaction.properties.company | — | |
domaindestination.geo.country | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash32108a830908f88f9949d6c0cbbaea2e | — | |
hash51b0c87f9956b1c0a2a9288682cfdbae | — | |
hash799e73863806df2964d80d12ce4e61ea | — | |
hasha3cc88c9d37b9007e5b6d3446bf9e1e4 | — | |
hashd4845669f7f56c6c4eb82147a1f82615 | — | |
hash25f6e7cf30010425523d88c02b4cd147ee8eedf1 | — | |
hash6cad060b2934c422945c5d706b0701a42e02c145 | — | |
hashc3eba229c847caa61117c3d0f84efaec7f33a2f7 | — | |
hashe4885686dc64aeaae61eb67ca715ce4b7e07b670 | — | |
hash5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec | — | |
hash64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3 | — | |
hash703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1 | — | |
hash9bab404584f6a0d9d82112d6e017cfa37d0094d97e510101d6a0132fd145dd32 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://77.83.207.106:56001 | — | |
urlhttp://85.208.84.94:56001 | — | |
urlhttp://activatecapagm.com/j8r3 | — | |
urlhttp://bkngpropadm.com/bomla | — | |
urlhttp://bkngssercise.com/bomla | — | |
urlhttp://bknqsercise.com/bomla | — | |
urlhttp://bqknsieasrs.com/loggqibkng | — | |
urlhttp://brownsugarcheesecakebar.com/ajm4 | — | |
urlhttp://byliljedahl.com/8anf | — | |
urlhttp://byliljedahl.com/lv6q | — | |
urlhttp://cabinetifc.com/upseisser.zip | — | |
urlhttp://cardverify0006-booking.com/37858999 | — | |
urlhttp://confirmation8324-booking.com/17149438 | — | |
urlhttp://confirmation887-booking.com/17149438 | — | |
urlhttp://cquopymaiqna.com/bomla | — | |
urlhttp://ctrlcapaserc.com/bomla | — | |
urlhttp://ctrlcapaserc.com/loggqibkng | — | |
urlhttp://customvanityco.com/izsb | — | |
urlhttp://emprotel.net.bo/updserc.zip | — | |
urlhttp://guest03442-booking.com/17149438 | — | |
urlhttp://hareandhosta.com/95xh | — | |
urlhttp://headkickscountry.com/lz1y | — | |
urlhttp://homelycareinc.com/po7r | — | |
urlhttp://jamerimprovementsllc.com/ao9o | — | |
urlhttp://seedsuccesspath.com/6m8a | — | |
urlhttp://verifycard45625-expedia.com/67764524 | — | |
urlhttp://verifyguest02667-booking.com/17149438 | — | |
urlhttp://zenavuurwerkofficial.com/62is | — |
Threat ID: 690dbd8a03ca3124669e0ec2
Added to database: 11/7/2025, 9:36:10 AM
Last enriched: 11/7/2025, 9:36:26 AM
Last updated: 11/8/2025, 5:39:35 PM
Views: 31
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
'Landfall' Malware Targeted Samsung Galaxy Users
MediumThreatsDay Bulletin: AI Tools in Malware, Botnets, GDI Flaws, Election Attacks & More
MediumTrojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine
MediumHidden Logic Bombs in Malware-Laced NuGet Packages Set to Detonate Years After Installation
MediumThreatFox IOCs for 2025-11-07
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.