Thousands of Domains Target Hotel Guests in Massive Phishing Campaign

Threat actor builds sophisticated pages that impersonate a variety of travel brands.

A Russian-speaking threat actor operating an ongoing, mass phishing campaign targeting people who might be planning (or about to leave for) a vacation has registered more than 4,300 domain names used in the attacks since the beginning of the year.

Figure 1. The phishing pages share a common style, but are customized with different branding that mimics various legitimate well-known travel brands based on a string value in the URI the creator calls an "AD_Code."

The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website. The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com.

The campaign targets specific individuals (who may have travel reservations) with malspam that links through a service called Want Your Feedback.

Figure 2. The attack begins with an email message prompting the recipient to confirm a hotel reservation.

The malspam prompts the user to click a link to visit the hotel's website and confirm a booking using a credit card.

Figure 3. Text excerpt from the body of the malicious email message.

But rather than ending up at a legitimate hotel reservation website, the links redirect a visitor's browser through a chain of websites until it lands on the phishing site. In one example, the email link sent users to a URL (now shut down) on a now-disused web domain that was registered in 2016 to promote a feature film. That site then redirected the visitor to a page on the free blogging site, Blogspot, which in turn redirects the target to the phishing page.

Figure 4. The redirection chain leads to a disused website, to a page on Blogspot, and eventually to the phishing page.

Most of the domains registered for use in this campaign follow consistent naming conventions, with phrases like "confirmation," "booking," "guestverify," "guestcheck," "cardverify," or "reservation" appearing within the domain name. Several hundred of the domains registered as part of this campaign contain the names of specific luxury, boutique hotels from around the world.

Figure 5. The threat actor behind this campaign typically registers from 10 to 65 domain names per week to use in the campaign, but registered at least 511 domains on March 20, 2025.

The pages are further customized with translations of the phishing lure into one of 43 different languages, and a bogus "online help chat" that pops open when the visitor initially loads the page.

Figure 6. Translations of the phishing page are available in 43 different languages.

The faked booking pages inform the visitor that they must pay a deposit for their hotel reservation and request payment card information. Data submitted through the payment form is first validated against the payment card date and CVV value (a so-called "Luhn validation"), then the page attempts to process a transaction in the background.

Figure 7. A variation on the same page, with the Korean translation shown. Some of the text that appears when the "chat" window opens always displays in English.

Anyone who attempts to visit one of the phishing websites for the first time without using the unique identifier (referred to as an "AD_CODE" in the source of the pages) instead is presented with a blank page.

Figure 8. Cookie data stores both the "AD_CODE" value and a "D_TYPE" value that indicates the brand that is being impersonated.

After the initial visit, the AD_CODE value is written to a cookie, which ensures that subsequent pages present the same impersonated branding appearance to the site visitor as they click through pages.

The pages are also gated by a bogus captcha that looks like one used by Cloudflare, but the captcha is not functional and merely uses Cloudflare branding to deceive the target.

Thousands of domains registered

The threat actor behind this campaign, which began in earnest in February, has steadily registered new domains almost every day since the campaign began, with one exception: On just a single day, March 20, 2025, the threat actor behind this campaign registered at least 511 domains.

The threat actor appears to focus on using a small number of domain registrars for most of the domain registrations: WebNIC, Public Domain Registry, Atak Domain Bilgi Teknolojileri A.S., and MAT BAO Corporation are the four registrars the attacker most frequently uses, but they have used a small number of more specialized registrars alongside other gTLDs including .world, .sale, and .help.

The domains follow a pattern that often incorporate the impersonated business' name along with key words, such as "cardverify" or "verifyguest" as well as random numbers.

Phishing attack examples

While the threat actor has registered thousands of domains for this attack, the phishing kit in use has remained mostly consistent, with gradual improvements over time.

Figure 9. A selection of the domains registered by the threat actor.

The "CAPTCHA" presented to the user varies from default text used by a real CAPTCHA.

Figure 10. Some of the fake CAPTCHA text reads like it was written by someone lacking in English grammar skills.

A few moments after the site visitor fills the checkbox, the CAPTCHA box reports that the test was "successfully."

Figure 11. Text indicating the phishing page creator's misunderstanding of English adverbs, highlighted in red, appears when the phishing target checks the box.

The page then refreshes and displays a form that prompts the visitor to enter payment card information, including the cardholder's name, the card number, CVV, and expiration date.

One early version of the phishing page displays the name "Hotel Palazzo Argenta" overlaid on an image that reads "Verification In Progress" displayed in the wrong aspect ratio, as well as a "check in" and "check out" date, shown in two distinctly different date formats. The branding of the impersonated company appears at the top of the page and elsewhere.

Figure 12. An example of one early version of the phishing page.

Later versions of the pages have eliminated these visual glitches and bugs, and have taken on a more consistent appearance.

Figure 13. More recent versions of pages have eliminated the obvious glitches that made them easily identifiable as a scam.

When the site visitor enters payment card information, the page initially performs a check to ensure that the card number, expiration, and CVV are well formed. The page, which temporarily changes to resemble a "Verified by Visa" dialog box, then attempts to immediately process a charge against the target's card.

While this takes place in the background, simultaneously, a "support chat" floating window appears on screen. This "chat" populates itself with instructional prompting to the visitor.

Figure 14. The default text that appears in the "chat box" prompts the target to enter payment card information as an "extra measure" to protect you from "fake bookings."

Phishing page behavior and other aspects of the attack

As mentioned in the introduction, users must visit the phishing page using a URL with a specific numeric string at the end.  The threat actor refers to this string as the AD_CODE in a cookie they set in visitors' browsers.

Figure 15. The AD_CODE value must be present in the URI on the initial visit, or the page will fail to load.

Visiting the phishing domain for the first time at its root, without the AD_CODE in the URI path, results in the display of what looks like console output, with text appearing one character at a time that reads "AD not found (captcha2)." The page features a blinking cursor, as if someone is typing out the message in real time.

Figure 16. The phishing site "AD not found (captcha2)" error page.

At some newer versions of these phishing sites, once the attackers disable a specific AD_CODE, this 404 page simply displays the URL.

Figure 17. The updated version of the phishing kit's "404" page.

Site visitors who open a link that contains a valid AD_CODE value in their URL will be presented with the full phishing page. In tests, the AD_CODE signals to the site to impersonate a specific brand, using text and graphics within the page. The variations even alternate the date format, currency, and details about the hotels they target.

Figure 18. The AD_CODE used to impersonate a hotel in Vietnam.

The same website can output multiple variants of the same page.

Figure 19. A different AD_CODE value in the URL produces a page targeting a different hotel on the same website.

Using the same AD_CODE number on different sites within the cluster of phishing domains that were still operational at the time of testing resulted in the same brand impersonation appearing on all the sites, while use of different AD_CODE values on the same site resulted in different brand impersonation appearing within otherwise identical pages.

Figure 20. An example of the AD_CODE in a URL.

This "AD_CODE" value also appears in cookies the page sets in the visitor's browser, highlighted in red in the screenshot below.

Figure 21. Cookie data contains the AD_CODE value.

Under the hood, the phishing page code polls the webserver continuously, providing real-time updates on keypresses, payment card data the visitor submits to the page, and even the content of the "support chat" that pops open from a pane on the right side of the window.

Figure 22. Wireshark view of the captured network packets, showing near-continuous polling of user interactions on the page by a script.

Figure 23. Network polling takes place roughly between once per half-second to once per second for the entire time the page is loaded in the browser.

Phishing domain naming convention analysis

As of the publication of this blog, the threat actor behind this campaign has registered at least 4,344 domains that Netcraft connects to these attacks. Netcraft judged the domains to be connected based on a number of factors, including (but not limited to): The registrar that was used to register the domain; Common content running on a large proportion of these domains; and the consistent naming convention paradigms favored by this threat actor.

Among these domains, four large travel brands stand out as targets:

• 685 domains contain the name "Booking" (many more URLs in the attacks used "booking" as a subdomain)

• 18 domains contain the name "Expedia"

• 13 domains contain the name "Agoda"

• 12 domains contain the name "Airbnb"

The threat actor's naming convention for these domains usually includes one or more other travel-related words, such as:

• 524 domains contain the substring "verif," typically in the form of the word "verify" (usually appended to the word "card," as in "cardverify" or "verifycard") but also "verification"

• 298 domains include the word "card"

• 267 domains contain the word "guest" (also tacked on to the word "verify," such as "guestverify" or "verifyguest")

• 1,462 domains contain the word "confirm" or "confirmation"

• 255 domains contain the word "reserve" or "reservation"

• 283 domains contain the word "hotel"

A fraction of the domains Netcraft connects to this campaign name (or reference) specific boutique, or distinctive, hotel properties with substrings in the domain names.

The threat actor appears to have specifically targeted the following partial list of real hotel properties. (The links in the text below go to the real hotel websites, not the malicious ones that had been set up by the threat actor)

• Ayodya Resort, Bali, Indonesia

• Hotel Estrimont, Canada

• Hotel Suizo, Barcelona, Spain

• The Mila Hotel, Brussels, Belgium

• The Green Cube Capsule Hostel, Sofia, Bulgaria

• Hotel du Jardin, Quebec, Canada

• Hotel Libertas, Montenegro

• Hotel Fazenda Vista, Brasil

• Le Grand Bellevue, Gstaad, Switzerland

• Lofos Strani Hotel, Greece

• Mon Boutique Hotel, Mallorca, Spain

• Olympian Bay Grand Resort, Greece

• Sonnenhof Hotel & Spa, Germany

• Taleju Boutique Hotel, Nepal

Figure 24. Many real hotels have been impersonated by the attackers.

Beyond just the core travel theme that permeates this campaign, some of the domains connected to the same threat actor appear to reference businesses that fall outside of the parameters that define most of the domains registered for the purposes of this campaign.

The analysis reveals:

• Four domains contained distinctive strings that appear to reference banks ("BofA," "Citi," and "Alfabank").

• Five of the domains contain the words "Western Union" or "MoneyGram," its pay-by-wire service.

• One domain contained the string "Bolha," the name of a Slovenian website that offers travel services.

• One domain contains the string "OLX Market," a likely reference to the Dutch "classified ad" service comparable to Craigslist.

• Five domains appear to have been registered to target customers of the Czech postal agency, DPD.cz

• One of the domain names contains references to the real payment portal for a Los Angeles-based document shredding company, Shred Time.

• One domain registered by the threat actor appears to reference the title of syndicated advice columnist Natalie Bencivenga's regular feature, Ask Natalie.

Netcraft assesses it is likely that the same threat actor registered these domains but does not know why these businesses appear to be referenced in the domain names. It could be an indicator that customers or patrons of these businesses or services may be past or future targets, or they could be completely random.

Attribution characteristics

Netcraft found numerous comments, data fields, and debugger output in the Russian language in the phishing site source code. One example among many is the highlighted debugger output text below, which translates to "notifications not supported."

Figure 25. "Notifications Not Supported" in Russian appears in debug output of the page.

The HTML source code for the pages is extensively commented in Russian – an indication of who the threat actor believes would be most interested in how to customize the phishing kit – other criminals, their potential customers.

Figure 26. The pages are extensively commented in Russian.

Dodging the travel phishing attack

As with many phishing campaigns, the attackers rely on site visitors not closely scrutinizing the details of the page when they follow a link they receive through email or other messaging. However, there were several details that give away the attackers' intent.

• The text of the captcha page may contain grammatical and spelling errors.

• The phishing pages themselves may contain numerous design and stylistic errors that are inconsistent even within a single page of the site.

• The domains are unrelated to the sites they purport to point to, and may only contain text strings that make a passing reference to the real sites they attempt to impersonate.

• You may not have any travel plans at all, in which case, you shouldn't bother following the link in the first place.

Netcraft has posted Indicators of compromise relating to this attack to the Netcraft GitHub repository.