Ethical Hacking News
A recent phishing campaign launched by a group of Russian-speaking hackers has targeted hotel guests across Central and Eastern Europe. The campaign, which has already yielded over 4,300 fake travel sites, is designed to capitalize on the hospitality industry's vulnerabilities and exploit the trust placed in online booking platforms.
Over 4,300 fake travel sites have been launched as part of a phishing campaign targeting hotel guests. A sophisticated phishing kit has been used to target customers of various hotel chains, customizing its approach based on a unique string in the URL path. The fake sites mimic legitimate booking platforms and use social engineering tactics to create trust with victims. Phishing kits have also been used in targeted campaigns against Aruba S.p.A. and other organizations in Central and Eastern Europe. The use of phishing kits has become increasingly common, with PhaaS offerings allowing threat actors to launch large-scale attacks with little technical expertise.
In a disturbing development that highlights the ever-evolving threat landscape of cybercrime, a group of Russian-speaking hackers has launched an elaborate phishing campaign aimed at siphoning sensitive data from hotel guests. The campaign, which has already yielded over 4,300 fake travel sites, is an attempt to capitalize on the hospitality industry's vulnerabilities and exploit the trust placed in online booking platforms.
According to Netcraft security researcher Andrew Brandt, the campaign began in earnest around February 2025 and has since been designed to target customers of various hotel chains. The hackers have employed a sophisticated phishing kit that customizes its approach based on a unique string in the URL path when the victim first visits the website. This personalized touch is intended to increase the credibility of the fake site, making it more likely for unsuspecting victims to click on the link and enter their sensitive information.
The fake travel sites, which have been registered with various domain extensions such as .com, .co, and .net, are designed to mimic the branding and logos of legitimate booking platforms like Airbnb, Booking.com, and Expedia. This attempt to create a sense of familiarity and trustworthiness is a classic tactic used by phishing scammers to gain the confidence of their victims.
Once a victim clicks on the link and enters their login credentials or payment information, they are redirected to a fake site that appears to be an authentication page for the booking platform. However, unbeknownst to the victim, this page actually contains malware designed to capture sensitive data such as credit card numbers, expiration dates, and security verification codes.
The phishing campaign has targeted various organizations across Central and Eastern Europe, particularly in countries like the Czech Republic, Slovakia, Hungary, and Germany. The hackers have used social engineering tactics to create emails that appear to be legitimate requests for quotations or invoice confirmations from businesses operating in these regions.
In addition to the fake travel sites, phishing kits have also been utilized in a targeted campaign aimed at customers of Aruba S.p.A., one of Italy's largest web hosting and IT service providers. Group-IB researchers Ivan Salipur and Federico Marazzi described the phishing kit as "fully automated, multi-stage platform designed for efficiency and stealth." The kit employs CAPTCHA filtering to evade security scans, pre-fills victim data to increase credibility, and uses Telegram bots to exfiltrate stolen credentials and payment information.
The use of phishing kits in industrial-scale credential theft operations has become increasingly common in recent years. Phishing-as-a-service (PhaaS) offerings have emerged as a convenient and cost-effective way for threat actors with little to no technical expertise to launch large-scale attacks on unsuspecting victims.
"This automation observed in this particular kit exemplifies how phishing has become systematized – faster to deploy, harder to detect, and easier to replicate," said Salipur. "What once required technical expertise can now be executed at scale through pre-built, automated frameworks."
The Russian-speaking hackers behind the phishing campaign have used various indicators of compromise (IOCs) to evade detection by security systems. These IOCs include domain names containing phrases like "guestverifiy5313-booking[.]com" and "verifyguets71561-booking[.]com," which match the domain patterns registered by the threat actors.
The phishing campaign has been linked to other malicious activities, including attacks on organizations impersonating multiple brands such as Microsoft, Adobe, WeTransfer, FedEx, and DHL. These campaigns have used HTML attachments that display a fake login page while JavaScript code captures credentials entered by the victim and sends them directly to attacker-controlled Telegram bots.
As the threat landscape continues to evolve, it is essential for businesses and individuals to remain vigilant and take proactive measures to protect themselves against phishing attacks. This includes regularly monitoring email inboxes for suspicious activity, using strong passwords and two-factor authentication, and staying informed about emerging threats through reputable sources such as The Hacker News.
In conclusion, the Russian hackers' sophisticated phishing campaign highlights the ongoing threat of cybercrime in the hospitality industry. As threat actors continue to evolve their tactics and employ new technologies to launch large-scale attacks, it is crucial for businesses and individuals to stay informed and take proactive measures to protect themselves against these threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-Hackers-Sophisticated-Phishing-Campaign-Targets-Hospitality-Industry-with-4300-Fake-Travel-Sites-ehn.shtml
https://thehackernews.com/2025/11/russian-hackers-create-4300-fake-travel.html
Published: Thu Nov 13 14:41:04 2025 by llama3.2 3B Q4_K_M
