Malvertising & Phishing Campaign Targets Hotelier Accounts

Okta Threat Intelligence identified a large-scale phishing campaign leveraging malvertising and typosquatted domains to impersonate at least 13 hospitality and vacation rental service providers. The campaign’s main goal is credential harvesting and bypassing MFA protections to compromise accounts for cloud-based property management and guest messaging platforms. Evidence observed in code snippets and infrastructure indicates possible Russian-speaking threat actors behind the activity.

Severity Level: Moderate

Threat Details

1. Attacker Infrastructure:

• Phishing Domains (Typosquatting): Lookalike websites mimicking legitimate hotel and vacation rental providers (e.g., Oracle Hospitality, Airbnb).
• Malvertising Channels: Sponsored Google Search ads that placed the fake sites above legitimate domains.
• Phishing Portals: Fake login pages configured to collect credentials and MFA codes.

2. Credential Harvesting:

• Phishing sites collected:
  • Usernames
  • Email addresses
  • Phone numbers
  • Passwords
• Some portals explicitly requested OTP/MFA codes, using “Sign in with SMS Code” or “Email Code” prompts.

3. Victim Tracking (Beaconing Scripts):

• Collected geolocation, session duration, and bot detection data.
• Provided attackers with real-time victim analytics.

4. Language & Coding Artifacts:

• Error messages in Russian: “Ошибка запроса” (“Request error”).
• Code comments: “Запускаем запрос каждые 10 секунд” (“We start the request every 10 seconds”).
• Suggests involvement of Russian-speaking operators.

5. Proxy Usage:

• Sign-in attempts routed through a Russian datacenter proxy provider, helping attackers anonymize and localize traffic.

6. Potential Impact

• Compromise of hotelier accounts could allow:
  • Access to sensitive guest and reservation data.
  • Lateral movement into financial/payment systems.
  • Disruption of hotel operations.

Recommendations

1. Continuously monitor for typosquatting domains resembling your brand or partners.
2. Work with ad networks (Google, Bing, etc.) to flag and request takedowns of fraudulent sponsored ads.
3. Train hospitality staff, booking managers, and customer support teams to: recognize malicious search ads, verify URLs before logging in, report suspected phishing attempts quickly.
4. Warn users when malvertising and phishing campaigns appear to be targeting your brand. Notify end users if suspicious activity is observed on their account.
5. Enforce adaptive risk-based authentication to flag anomalous login patterns (e.g., unusual devices, IPs, or time-of-day access).

Source:

• https://sec.okta.com/articles/2025/08/attackers-target-hotelier-accounts-in-broad-phishing-campaign/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.