A large-scale phishing operation is targeting travelers across the globe, using over 4,300 fake domains to steal payment card information. The campaign focuses on individuals planning vacations or checking into hotels, leveraging fake booking confirmation emails that appear to come from trusted travel brands.
How the Scam Works
Attackers send emails claiming that a hotel reservation must be confirmed within 24 hours to avoid cancellation. This creates a sense of urgency, pushing victims to act quickly without verifying details. The emails include links that redirect users through multiple websites before landing on a phishing page designed to look like a legitimate hotel booking site.
Fake Pages Mimic Major Travel Brands
The phishing pages impersonate popular travel platforms such as Airbnb, Booking.com, Expedia, and Agoda, using authentic logos and professional layouts. Victims are asked to enter sensitive payment details, including card number, CVV, and expiration date.
Redirection Chain Explained
The attack uses a multi-step redirection system to avoid detection:
- Victims click the “Confirm Booking” button in the fake email.
- They are redirected to an old, unused domain registered in 2016.
- From there, they land on a Blogspot page (Google’s blogging platform).
- Finally, they reach the phishing page.
This technique makes it harder for security systems to block the malicious site and adds credibility by using legitimate platforms.
Sophisticated Phishing Kit Features
The phishing kit powering this campaign includes:
- Fake Cloudflare CAPTCHA for false security assurance.
- Luhn validation for card number format.
- Real-time keystroke polling every second.
- Support for 43 languages.
- Dynamic branding using an AD_CODE parameter to impersonate different travel brands.
Victims even see a fake support chat urging them to confirm SMS notifications from their bank—these are actually real fraud alerts triggered by unauthorized transactions.
Scale of the Attack
The campaign began in February 2025 and continues to grow. On March 20, 2025, attackers registered 511 domains in a single day. These domains often include keywords like:
confirmationbookingguestverifycardverifyreservation
Many domains even reference specific luxury hotels, making the scam appear highly targeted.
Who Is Behind It?
Security researchers at Netcraft discovered Russian-language comments in the phishing kit’s source code, suggesting the threat actor is Russian-speaking. The attacker primarily uses four registrars:
- WebNIC
- Public Domain Registry
- Atak Domain Bilgi Teknolojileri A.S.
- MAT BAO Corporation
How to Protect Yourself
- Verify booking emails by contacting the hotel or travel company directly.
- Avoid clicking links in unsolicited emails.
- Use multi-factor authentication and monitor bank alerts.
- Report suspicious domains to security authorities.
Key Takeaway
This phishing campaign is one of the most sophisticated travel-related scams in recent years. Travelers should remain vigilant and double-check any booking confirmations before sharing payment details
