In late August 2025, cybersecurity analysts identified a sophisticated phishing campaign targeting hoteliers and vacation rental managers. Unlike traditional phishing methods that rely on mass emails or social media lures, this campaign leverages malicious search engine advertisements—a tactic known as malvertising—to deceive users into divulging sensitive information.
Malvertising Tactics and Execution
The attackers purchased sponsored ads on platforms like Google Search, employing typosquatting techniques to mimic legitimate service providers such as SiteMinder and RoomRaccoon. By slightly altering domain names—creating URLs like `siteminder.live` and `rocmracooon.cfd`—they ensured that their malicious sites appeared above authentic listings in search results, significantly increasing the likelihood of user engagement.
Upon clicking these sponsored links, victims were directed to meticulously crafted fake login portals. These counterfeit pages replicated the appearance of established property management and guest messaging platforms, complete with corporate logos and form fields for usernames, passwords, and even multi-factor authentication (MFA) prompts. The attackers employed advanced social engineering techniques to coax users into providing one-time passwords (OTPs) sent via SMS or email, thereby capturing both static credentials and dynamic OTPs to maximize account takeover potential.
Detection and Attribution
Security analysts from Okta identified this campaign after observing a sudden spike in outbound traffic from a large Russian datacenter proxy provider to multiple hospitality domains. Further analysis of the phishing page source code revealed Russian-language comments and error messages, such as Ошибка запроса (Request error), indicating possible ties to Russian-speaking threat actors.
The phishing sites also employed JavaScript beaconing scripts to monitor visitor interactions in real time, collecting geolocation data, session duration, and bot-detection metrics. This continuous data exfiltration allowed attackers to confirm the validity of the credentials and OTPs entered by victims.
Infection Mechanism and Implications
This campaign’s reliance on malvertising distinguishes it from traditional phishing operations. By bidding on high-value keywords—often the exact names of hospitality platforms—the malicious ads appeared alongside or above genuine search results. Victims searching for terms like SiteMinder login or RoomRaccoon channel manager were instead directed to deceptive URLs that closely resembled legitimate domains.
Upon landing on these phishing pages, the JavaScript beacon confirmed victim presence and captured responses to form fields. The code forced periodic outbound connections to command-and-control endpoints, ensuring that credentials and OTPs were relayed immediately. Additionally, the attackers engineered the login forms to accept multiple MFA methods—SMS, email, and authenticator apps—thereby maximizing their chances of bypassing any single factor of defense.
Broader Context: Phishing in the Hospitality Industry
The hospitality industry has become an increasingly attractive target for cybercriminals due to its reliance on digital platforms and the vast amount of sensitive customer data it handles. Phishing attacks have evolved beyond traditional email scams to include sophisticated methods like malvertising and impersonation of trusted platforms.
For instance, in 2023, a significant phishing campaign targeted Booking.com users. Attackers gained unauthorized access to hotel systems, extracted personal data of hotel guests, and executed mass phishing campaigns against them. By possessing hotels’ Booking.com credentials, attackers were privy to guest information, which they used to craft convincing phishing messages. ([infosecurity-magazine.com](https://www.infosecurity-magazine.com/news/bookingcom-customers-targeted?utm_source=openai))
Similarly, the DarkHotel campaign, active since 2007, specifically targeted business hotel visitors through the hotel’s in-house Wi-Fi network. Attackers uploaded malicious code to hotel servers, targeting specific users who were guests at luxury hotels primarily in Asia and the United States. This campaign utilized advanced persistent threat (APT) tactics to compromise high-profile individuals. ([en.wikipedia.org](https://en.wikipedia.org/wiki/DarkHotel?utm_source=openai))
Preventive Measures and Recommendations
To mitigate the risks associated with such sophisticated phishing campaigns, hoteliers and vacation rental managers should consider implementing the following measures:
1. Employee Training and Awareness: Conduct regular training sessions to educate staff about the latest phishing tactics, including malvertising and social engineering techniques. Employees should be trained to recognize suspicious emails, links, and advertisements.
2. Enhanced Security Protocols: Implement strong, unique passwords for all accounts and change them regularly. Enable multi-factor authentication (MFA) across all systems to add an extra layer of security.
3. Monitoring and Detection Systems: Utilize advanced monitoring tools to detect unusual network activity, such as unexpected outbound traffic to unfamiliar domains. Establish protocols for responding to potential security incidents promptly.
4. Secure Advertising Practices: Be cautious when clicking on sponsored ads, especially when searching for login portals or service providers. Verify the authenticity of the URL before entering any credentials.
5. Regular System Audits: Conduct periodic audits of property management systems and other critical platforms to identify and address potential vulnerabilities.
6. Incident Response Planning: Develop and maintain an incident response plan to address potential security breaches. This plan should include steps for containment, eradication, recovery, and communication with stakeholders.
By adopting these proactive measures, organizations in the hospitality industry can enhance their cybersecurity posture and reduce the likelihood of falling victim to sophisticated phishing campaigns.
