It’s been an interesting week in the threat landscape, especially for anyone who works around payments, travel, or fraud. A new wave of phishing activity targeting hotel guests has been uncovered and the scale alone is worth paying attention to.
A Russian threat actor has registered over 4,300 fake travel-related domains this year, all created for one purpose: stealing card details from people who think they’re confirming a hotel reservation. The campaign kicked off properly around February 2025 and has only grown stronger since then.
When researchers dug into the domains, a clear pattern appeared. Out of the over 4,300 domains identified so far, 685 contain “Booking,” 18 mimic Expedia, 13 mimic Agoda, and 12 reference Airbnb. That tells you everything you need to know, the attackers are going after the biggest platforms in the travel industry, and they’re doing it very intentionally.
The technique itself is unfortunately convincing. Victims receive phishing emails urging them to “confirm their reservation within 24 hours” using a credit card. Clicking the link triggers a chain of redirects that leads to a fake website carefully designed to look like whatever platform the attacker wants to impersonate. These fake sites follow familiar naming patterns enough to trick an unsuspecting traveler into believing they’re on a legitimate page.
To make matters worse, the pages support 43 different languages, giving the attackers a wide global reach. Once the visitor reaches the page, they’re instructed to “pay a deposit” by entering their card information. As soon as the victim submits their details, the page pretends to process a transaction and even shows a fake Cloudflare-like CAPTCHA and a “support chat” that walks them through a fake 3D Secure verification process.
One part of this campaign that stands out is how the attackers control the way each fake page looks. Instead of having one generic phishing page for everybody, they use a small identifier, something researchers refer to as an AD_CODE hidden inside the phishing link. That little identifier tells the fake site exactly which brand to impersonate.
So, if the attacker wants you to land on a Booking.com-themed page, your link carries an AD_CODE that loads the Booking.com version. If they want someone else to see a fake Airbnb page, they send them a different code.
Once the victim visits the site, the AD_CODE is saved in a cookie. That simply keeps the branding consistent as the person clicks around. But if anyone tries to access the same domain without the AD_CODE, the page stays blank. This is intentional. It hides the malicious content from researchers and automated scanners while keeping the experience seamless for victims.
In short, the AD_CODE allows the scammers to personalize the deception for each target, maintain the illusion across the entire session, and quietly avoid detection.
There’s another layer to all of this. The campaign overlaps with another hospitality-focused operation. One that targeted hotel managers using malware like PureRAT, stole their credentials, and then reached out to hotel guests via WhatsApp or email to trick them into clicking similar booking confirmation links. Research teams have now confirmed that the indicators match, and these activities appear to belong to the same cluster of threat actors.
And they’re not stopping at the travel industry. In recent weeks, massive phishing campaigns have impersonated Microsoft, Adobe, WeTransfer, FedEx, and DHL by distributing HTML attachments that open fake login pages. Whatever credentials victims enter are immediately sent straight to attacker-controlled Telegram bots. These campaigns have heavily targeted organizations across Central and Eastern Europe, particularly in Germany, the Czech Republic, Slovakia, and Hungary, with attackers posing as clients, partners, and suppliers requesting quotations or invoice confirmations.
Italy has also seen a surge in similar attacks. Customers of Aruba S.p.A., one of the country’s largest hosting and IT service providers, have been hit with emails about “expiring services” or “failed payments.” Behind these emails is another highly automated phishing kit that uses CAPTCHA filtering, pre-filled victim data, and Telegram bots for exfiltration. The entire system is built for speed and scale.
If there’s one theme running through all of this, it’s the rise of phishing-as-a-service (PhaaS). This underground market now allows attackers with little to no technical skill to run campaigns that look polished, targeted, and frighteningly efficient. What used to take expertise has become as simple as buying a ready-made kit and launching it at scale.
Phishing has always been around, but the level of automation we’re seeing now makes it faster to deploy, harder to detect, and much easier to replicate. And unfortunately, the hospitality industry, with its constant flow of reservations, confirmations, and payments is the perfect target.
If you work with travel data, customer bookings, or payment systems, this is the kind of campaign that’s worth watching closely. Be reminded that cybercriminals don’t always need to break into systems to cause damage. Sometimes, they just need to be convincing enough to make people hand their information over.