A Russian-speaking threat actor has unleashed an extensive phishing campaign leveraging over 4,300 domains registered since early 2025, aiming to defraud individuals planning travel by impersonating major hotel and booking platforms.
The attacker’s infrastructure uses consistent domain naming conventions, incorporating keywords such as “confirmation,” “booking,” “cardverify,” and sometimes even referencing luxury and boutique hotels to heighten credibility.
The phishing kit is highly dynamic, customizing each page based on a unique string in the URL path known as “AD_CODE.” This identifier triggers on-the-fly branding that matches the impersonated site; examples include Airbnb, Booking.com, and hundreds of real-world hotel brands.
Upon the target’s initial visit, the kit sets cookies that carry both the AD_CODE and a “D_TYPE” value, preserving the spoofed branding throughout the target’s session.
The sites deploy auto-translated lures in 43 languages and a fake online help chat, significantly expanding the campaign’s reach.
Attack Flow and Technical Infrastructure
The exploit begins with tailored malspam emails, commonly sent under the guise of “Want Your Feedback,” targeting individuals with travel reservations. Victims are prompted to confirm booking details by clicking embedded links.
Instead of directing users to legitimate hotel portals, these links funnel them through multiple redirect chains starting with long-abandoned domains and Blogspot pages before delivering them to the phishing site.
Phishing domains are registered in blocks (10–65 per week on average, peaking at 511 on March 20, 2025) through a small pool of registrars: WebNIC, Public Domain Registry, Atak Domain Bilgi Teknolojileri, and MAT BAO Corporation.
These domains often use gTLDs like .world, .sale, and .help, paired with the names of impersonated brands and markers such as “confirm,” “verify,” or numeric codes.
Upon landing, visitors encounter a non-functional CAPTCHA mimicking Cloudflare’s design, complete with grammar mistakes (“test was successfully”) to instill trust.
The subsequent form requires payment card data, which is validated via Luhn checks before an immediate background transaction is attempted. Real-time polling scripts capture user keystrokes and data entries, feeding the information back to the command-and-control server.
Attribution and Defensive Indicators
Analysis reveals extensive Russian-language comments and debug fields within the phishing site HTML, further tying the campaign to Russian-speaking cybercriminal circles.
Most domains feature travel-oriented components; still, some reference banks, postal agencies, and unrelated businesses suggest broader ambitions or future pivots.
Security teams should watch for domains featuring travel keywords, randomized domain composition, and generic branding mismatches.
End-users must beware unexpected booking confirmations and scrutinize URLs before submitting any personal information, especially while making travel plans.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.webp?resize=1068,580&ssl=1&description=Phishing attack - A Russian-speaking threat actor has unleashed an extensive phishing campaign leveraging over 4,300 domains registered.){kind=link}