Russian Hackers Deploy Over 4,300 Fake Travel Sites in Massive Payment Data Theft Scheme

A sophisticated Russian-speaking threat actor has created more than 4,300 fake travel booking websites since February 2025, targeting hotel guests with phishing emails designed to steal payment card information, according to cybersecurity researchers at Netcraft.

The campaign specifically targets customers of major hospitality brands including Booking.com, Expedia, Agoda, and Airbnb by sending urgent emails that prompt victims to "confirm" their reservations within 24 hours using credit card information. This attack represents a significant escalation in both scope and sophistication compared to previous hospitality-focused phishing campaigns.

How the attack works

The phishing operation employs an elaborate multi-stage approach that begins with deceptive emails urging recipients to take immediate action regarding supposed hotel reservations. When victims click the included links, they're redirected through a chain of websites before landing on convincingly designed fake pages.

"The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website," explained Andrew Brandt, a security researcher at Netcraft.

The attackers have registered thousands of domain names following specific patterns, incorporating terms like "confirmation," "booking," "guestcheck," "cardverify," and "reservation" to appear legitimate. Of the 4,344 domains linked to the campaign, 685 contain "Booking" in their names, while others reference popular travel platforms.

These malicious websites are remarkably sophisticated, supporting 43 different languages to target victims globally. The pages also implement technical safeguards to prevent detection, including:

• Blank pages shown to visitors without specific tracking parameters
• Fake CAPTCHA checks mimicking Cloudflare security features
• Cookie-based tracking to maintain consistent branding throughout the phishing journey
• Custom URL parameters that can target different hotels on the same booking platform

Once victims enter their payment details, the page attempts to process a transaction in the background while displaying a fake "support chat" window requesting additional verification through a supposed "3D Secure" process.

Technical sophistication indicators

What makes this campaign particularly concerning is the level of technical implementation. The attackers have implemented several advanced features that enhance the credibility of their fake sites:

• Dynamic content generation based on URL parameters
• Sophisticated session management using cookies
• Multi-language support for global targeting
• Automated redirect chains to evade security monitoring
• Convincing visual replicas of legitimate booking platforms

These technical elements demonstrate a significant investment in infrastructure, suggesting this is a well-funded operation with substantial resources behind it.

Broader targeting of the hospitality industry

This campaign appears to be part of a larger trend targeting the hospitality sector. French cybersecurity firm Sekoia recently identified a related operation that specifically targets hotel managers with "ClickFix-style" pages to steal credentials before approaching hotel customers.

When contacted by The Hacker News, Netcraft confirmed "significant overlap" between these campaigns, suggesting they may be conducted by the same threat actor or group.

The phishing sites are technically sophisticated, leading researchers to believe this may be a "phishing-as-a-service" (PhaaS) operation, where criminal developers create and sell phishing infrastructure to less technical attackers.

"After the initial visit, the AD_CODE value is written to a cookie, which ensures that subsequent pages present the same impersonated branding appearance to the site visitor as they click through pages," Netcraft explained in their report.

Organizations in the hospitality industry need to implement comprehensive business data protection strategies to defend against these sophisticated threats that target both their systems and their customers.

Rise in sophisticated phishing campaigns

This hospitality-focused campaign is part of a broader surge in advanced phishing operations observed in recent weeks. Similar large-scale attacks have impersonated major brands including Microsoft, Adobe, WeTransfer, FedEx, and DHL to steal credentials through HTML email attachments.

According to cybersecurity firm Cyble, these HTML-based phishing campaigns have primarily targeted organizations across Central and Eastern Europe, particularly in the Czech Republic, Slovakia, Hungary, and Germany.

"The attackers distribute phishing emails posing as legitimate customers or business partners, requesting quotations or invoice confirmations," Cyble researchers noted. "This regional focus is evident through targeted recipient domains belonging to local enterprises, distributors, government-linked entities, and hospitality firms that routinely process RFQs and supplier communications."

In another significant case, Group-IB researchers identified a campaign targeting customers of Aruba S.p.A, one of Italy's largest web hosting providers. That operation used "a fully automated, multi-stage platform designed for efficiency and stealth," according to researchers Ivan Salipur and Federico Marazzi.

The evolution of phishing tactics

Modern phishing campaigns have evolved significantly from earlier, more obvious attempts. Today's attacks feature:

• Sophisticated brand impersonation with pixel-perfect recreations of legitimate websites
• Psychological manipulation tactics creating urgency and fear
• Technical countermeasures designed to evade security tools
• Multi-stage attack sequences that gradually extract information
• Localization features that customize attacks based on geography

This evolution mirrors broader trends in e-commerce cybersecurity threats affecting businesses across various sectors, with attackers constantly refining their techniques to bypass security measures.

How to protect yourself from travel booking scams

These increasingly sophisticated phishing campaigns highlight the importance of vigilance when handling travel reservations online. To protect yourself:

1. Always verify booking communications through official channels by logging directly into your accounts or calling hotels directly using numbers from their official websites.

2. Be skeptical of urgent requests demanding payment information, especially those giving short deadlines.

3. Check website URLs carefully before entering payment information, looking for misspellings or unusual domains.

4. Use credit cards rather than debit cards for online bookings, as they typically offer better fraud protection.

5. Enable multi-factor authentication on legitimate travel booking accounts where available.

6. Consider using dedicated virtual cards for online travel bookings that limit exposure of your primary payment methods.

7. Monitor your credit card statements regularly for unauthorized charges, particularly after making travel reservations.

The rise of these automated phishing kits demonstrates how cybercrime has evolved from requiring technical expertise to becoming accessible through pre-built frameworks. "What once required technical expertise can now be executed at scale through pre-built, automated frameworks," researchers noted.

For businesses in the travel and hospitality sector, this campaign serves as a reminder to implement stronger email security protocols and to regularly educate both staff and customers about the latest phishing tactics targeting their industry. Companies should also strengthen their data privacy practices for e-commerce transactions to minimize the impact of potential breaches.

According to the Federal Trade Commission's Consumer Advice, consumers should report suspected phishing attempts to both the FTC and the Anti-Phishing Working Group to help authorities track and combat these threats more effectively.