A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year. The activity, per Netcraft security researcher Andrew Brandt, is designed to target customers of the hospitality industry, specifically hotel guests who may have travel reservations with spam emails. The campaign is said to have begun in earnest around February 2025. Of the 4,344 domains tied to the attack, 685 domains contain the name “Booking”, followed by 18 with “Expedia,” 13 with “Agoda,” and 12 with “Airbnb,” indicating an attempt to target all popular booking and rental platforms. Brandt noted, “The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website. The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com.”
The initial lure involves phishing emails urging recipients to verify a booking within 24 hours by providing credit card information. Victims who click the malicious link are redirected through several steps before landing on a counterfeit website designed to mimic trusted travel platforms. These sites use predictable domain structures with terms such as “confirmation,” “guestcheck,” “cardverify,” or “reservation” to create a sense of legitimacy. The fraudulent pages support 43 languages, significantly widening the attackers’ potential reach. If a visitor accesses the page without the required AD_CODE parameter, they encounter a blank screen, indicating built-in filtering mechanisms. The phishing kit even deploys a fake Cloudflare-style CAPTCHA to enhance credibility.
Netcraft explained how the kit maintains consistency for each victim: “After the initial visit, the AD_CODE value is written to a cookie, which ensures that subsequent pages present the same impersonated branding appearance to the site visitor as they click through pages.” Changing the AD_CODE in the URL triggers impersonation of different hotels on the same platform. Once the user submits card details—including expiration date and CVV—the site attempts a background transaction while showing a fake “support chat” window to guide victims through what appears to be a “3D Secure verification.”
The threat actor’s identity remains unclear, although Russian-language elements in the code may hint at the operators’ origins—or simply be tailored for customers using the phishing kit. This disclosure follows recent warnings from Sekoia about another large-scale campaign targeting hotel managers with credential-harvesting pages and malware such as PureRAT, later used to message customers through WhatsApp or email. One of the domains flagged by Sekoia closely resembles those observed by Netcraft, suggesting the two operations may be linked.
Wider phishing efforts have also surged across Europe, with attackers impersonating brands like Microsoft, Adobe, FedEx, DHL, and WeTransfer using malicious HTML attachments that steal credentials via JavaScript and send them to Telegram bots. These campaigns have heavily targeted enterprises, distributors, government-linked bodies, and hospitality organizations in countries including Germany, Hungary, Slovakia, and the Czech Republic.
Meanwhile, Group-IB uncovered another large-scale operation aimed at customers of Italian hosting provider Aruba S.p.A. Their analysis describes the phishing kit as a “fully automated, multi-stage platform designed for efficiency and stealth,” complete with CAPTCHA evasion, data pre-filling, and Telegram-based credential exfiltration. The researchers summed up the trend: “Every function serves a single goal: industrial-scale credential theft.”
These developments underscore the rapid expansion of phishing-as-a-service ecosystems, where even low-skilled cybercriminals can deploy advanced attack infrastructures. As Group-IB noted, automation has turned phishing into a systematized, scalable operation—faster to deploy, harder to detect, and increasingly accessible to attackers worldwide.
