Threat Research

Multi-Stage Phishing via Reservation Portals

GoogleCloudIntel
Multi-Stage Phishing via Reservation Portals

A recent phishing campaign exploited Booking.com’s official messaging system to send fraudulent messages and steal credit card details using cleverly disguised domains and multi-stage redirects. The investigation uncovered extensive infrastructure, including redirector and phishing content domains, alongside associated malware files and threat actor Telegram accounts. #BookingPhishing #BookingConfirmationID #TelegramOperators

Keypoints

  • The campaign used Booking.com’s official message chat and email systems to send phishing messages claiming reservations were at risk, prompting victims to enter payment details on fake websites.
  • Threat actors set up Tier 1 redirector domains mimicking hotel names and Tier 2 domains with names similar to Booking.com to host phishing content.
  • Analysis of domain patterns, HTML titles, and meta tags enabled discovery of over 1,500 malicious URLs and 100+ related domains involved in the campaign.
  • Phishing activity showed significant spikes from January 2025, with peak operations in May and June 2025.
  • About 52.6% of the URLs redirected users to other URLs, indicating a multi-stage phishing infrastructure.
  • The campaign is linked to a RAR archive containing HTML and XLS files with stolen booking and payment information, as well as logs referencing 118 unique Telegram operator accounts involved in the phishing operation.
  • Custom YARA rules were developed to detect Tier 1 and Tier 2 infrastructure components to aid in ongoing threat monitoring.

MITRE Techniques

  • [T1566] Phishing – The actors phishing victims by sending messages through Booking.com’s official chat and email system to trick users into entering credit card information (‘…the threat actors sent messages directly to victims through Booking’s official website…’).
  • [T1586] Compromise Infrastructure – The attackers registered domains similar to legitimate Booking domains to host and redirect victims to fraudulent sites (‘…actors registered Tier 1 domains that simply act as redirectors to the Tier 2 domains…’).
  • [T1176] Browser Bookmark Discovery (implied) – Use of Booking chat reservation threads to deliver phishing messages suggests they accessed or leveraged reservation records via unknown methods (‘…threat actors were somehow able to access this information through a method that is currently unknown.’).

Indicators of Compromise

  • [Domain] Malicious redirector and phishing domains – booking.confirmation-id9918[.]com, booking.id5225211246[.]world, booking.confirmation-id542[.]com, and more than 100 others.
  • [URL] Phishing URLs used in the campaign – https://booking.confirmation-id77351.com/reservation/, http://hostelmandarinkauxeh.eto-la.com/, https://booking-acceptance.id7025952.date/p/469721259.
  • [File] RAR archive with embedded phishing URLs and XLS files – found on GTI with embedded URL hxxps://booking-confirmation.id6151961[.]date/p/360580105.
  • [Telegram Accounts] Threat actor operators – @dept_sales, @onlycashvvs, razikgikk, chiefkeef095, HollyHellsing, RevolutLimited, and a total of 118 unique accounts identified.

Read more: https://www.googlecloudcommunity.com/gc/Community-Blog/Actionable-threat-hunting-with-GTI-II-Analyzing-a-massive/ba-p/923129?linkId=15662116