Massive Phishing Campaign Targets Travelers with Over 4,300 Fake Domains
A sophisticated phishing campaign has emerged, targeting travelers worldwide by impersonating reputable travel brands through more than 4,300 fraudulent domains. This operation aims to steal payment card information from individuals planning vacations or checking into hotels.
Tactics and Techniques
The attackers send deceptive booking confirmation emails that appear to originate from trusted travel companies. These emails prompt recipients to confirm their reservations within 24 hours to avoid cancellation, creating a sense of urgency that compels immediate action without thorough scrutiny.
Upon clicking the provided links, victims are redirected through a series of websites before landing on a phishing page designed to mimic legitimate hotel reservation platforms. These pages are meticulously crafted, incorporating familiar logos and professional layouts to enhance their credibility.
Scope and Scale
The campaign has been active since February 2025, with the threat actor registering new domains almost daily. A significant spike occurred on March 20, 2025, when 511 domains were registered in a single day. The domains often include terms like confirmation, booking, guestverify, cardverify, or reservation, combined with random numbers to create a semblance of legitimacy.
The attackers primarily utilize four domain registrars: WebNIC, Public Domain Registry, Atak Domain Bilgi Teknolojileri A.S., and MAT BAO Corporation. Notably, several hundred domains reference specific luxury and boutique hotels worldwide, making the scam appear more targeted and convincing.
Redirection Chain and Infection Mechanism
The phishing attack employs a complex redirection system to evade detection. When victims click the Confirm Booking button in the fake email, they are first directed to an old, unused website domain originally registered in 2016 for a movie promotion. This site then redirects to a page on Blogspot, Google’s free blogging platform, which finally leads to the actual phishing page.
This multi-step redirection chain serves several purposes:
– Evasion of Detection: By using multiple redirects, the attackers make it more challenging for security systems to flag the malicious links.
– Legitimacy: Incorporating legitimate platforms like Blogspot adds a layer of trust, as the intermediate URL appears on a well-known service.
– Obfuscation: The chain complicates efforts by security researchers to trace and dismantle the operation.
Phishing Page Details
Once victims reach the phishing page, they encounter what appears to be a legitimate hotel booking confirmation form. The page displays a fake Cloudflare CAPTCHA that doesn’t function but uses Cloudflare branding to build false confidence.
After passing this fake security check, victims are prompted to enter their payment card details, including the cardholder name, card number, CVV code, and expiration date. The page performs Luhn validation to check if the card number format is correct before attempting to process a fraudulent transaction in the background.
Attribution and Language Indicators
Netcraft security researchers identified that the threat actor behind this campaign is Russian-speaking, based on extensive Russian language comments found throughout the phishing kit’s source code.
Implications and Recommendations
This large-scale phishing campaign underscores the evolving tactics of cybercriminals who exploit the trust associated with reputable travel brands to deceive unsuspecting travelers.
Recommendations for Travelers:
– Verify Communications: Always confirm the authenticity of booking confirmation emails by contacting the travel company directly through official channels.
– Inspect URLs: Before clicking on any links, hover over them to check for inconsistencies or unfamiliar domain names.
– Enable Two-Factor Authentication (2FA): Utilize 2FA for online accounts to add an extra layer of security.
– Monitor Financial Statements: Regularly review bank and credit card statements for unauthorized transactions.
Recommendations for Travel Companies:
– Educate Customers: Inform clients about potential phishing threats and advise them on how to recognize legitimate communications.
– Implement Email Authentication Protocols: Use protocols like SPF, DKIM, and DMARC to prevent email spoofing.
– Monitor Brand Usage: Regularly search for unauthorized use of your brand in domain registrations and online content.
– Report Malicious Domains: Work with domain registrars and hosting providers to take down fraudulent sites impersonating your brand.
Conclusion
The emergence of this extensive phishing campaign highlights the need for heightened vigilance among travelers and proactive measures by travel companies to protect against such sophisticated cyber threats.
