Researchers from Curated Intelligence detail a multi-platform credit-card information harvesting phishing campaign that leverages hotel and Booking brand impersonations, chat-based delivery, and fake Booking flows to harvest payment data. The operation links campaigns via shared TTPs and IoCs, including MFA bypass and domain fronting using Cloudflare and DDOS-Guard, flagging a broader, linked campaign across years. #InfoStealer #DomainFronting #Cloudflare #DDOSGuard #Booking #InPost #DHL #SwissPost #OLX #BlaBlaCar #Carousell #Privat24
Keypoints
- The phishing approach uses urgent language and personalized booking details to lure victims into online forms.
- The fake Booking flow replicates the legitimate site and collects hotel and payment information across multiple pages (Your Selection, Your Details, Processing).
- Domain Fronting is used to evade detection by routing through Cloudflare and DDOS-Guard, with URL shortening to avoid filters.
- InfoStealer malware is linked to harvesting Booking credentials and other customer data, contributing to widespread credit-card data exposure.
- The campaign impersonates a wide range of brands (e.g., InPost, DHL, SwissPost, OLX, BlaBlaCar, Carousell) over the last two years, with thousands of URLs observed in urlscan.io.
- The threat actors developed specialized functions to handle MFA bypass, input verification, and multiple transaction scenarios to maximize success.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Link – The campaign uses phishing URLs and online forms; “”THE PROCEDURE IS MANDATORY”” and “”it will remain active for 12 hours until your booking is confirmed”” are used to pressure victims.
- [T1566.002] Phishing: Spearphishing via Service – The message originated from the official hotel merchant account, enhancing credibility.
- [T1036] Masquerading – The fake Booking website resembles the legitimate site to fool victims into entering data.
- [T1071] Web Protocols – Domain Fronting through Cloudflare and DDOS-Guard to evade detection; “”Domain Fronting, such as through Cloudflare and DDOS-Guard services.””
- [T1071] Web Protocols – Use of URL shortening to bypass detection filters on URLs.
- [T1056.004] Input Capture – Credit card submission and verification functions, including “”custom regex patterns to validate various recognized credit card formats.””
- [T1555.003] Credentials from Web Browsers – InfoStealer malware harvests Booking account credentials and related customer data; “”harvesting official Booking account credentials”” and related details.
Indicators of Compromise
- [Domain] – confirmation-booking.id59212.top, posta-ch[.]order-id87397[.]cloud, BlaBlaCar[.]pay-id332[.]ru, FoxPost reservation08009[.]cloud – examples of impersonated domains used in the campaigns.
- [TLS Certificate Issuer] – R3, GTS CA-1P5 – common certificate issuers observed in the phishing infrastructure.
- [Alias/Comment] – pluxurydarklord – a code comment alias found in the script indicating authorship or function attribution.
- [Brand Impersonations] – Booking, InPost, DHL, SwissPost, OLX, Wallapop, Carousell, BlaBlaCar, FoxPost, NZPost – indicative of the wide set of targets and impersonations across campaigns.
Read more: https://www.curatedintel.org/2023/12/curated-intel-threat-report-multi.html