Executive Summary

A recent cyber threat campaign has been identified in which Russian-affiliated threat actors created approximately 4,300 fraudulent travel and hotel booking websites. The primary objective of this campaign was to harvest payment card data and personal information from unsuspecting hotel guests. These fake sites closely mimicked legitimate hotel and travel booking platforms, leveraging sophisticated social engineering and web spoofing techniques to deceive users. The campaign demonstrates a significant escalation in the use of large-scale, automated infrastructure to target the hospitality sector and its customers. This report provides a technical analysis of the incident, outlines the timeline and affected entities, details the threat activity, and offers prioritized mitigation recommendations.

Technical Information

The campaign involved the creation of approximately 4,300 fraudulent websites designed to impersonate legitimate hotel and travel booking platforms. The threat actors, identified as Russian-speaking cybercriminals, utilized automated tools to generate domains and clone the appearance of well-known hotel brands and travel agencies. These cloned sites were engineered to capture sensitive information, including payment card details, full names, addresses, and travel itineraries.

The attackers registered domains with names closely resembling those of legitimate hotels and travel agencies, often using typosquatting techniques. Typosquatting refers to the practice of registering domain names that are slight misspellings or variations of legitimate domains, increasing the likelihood that users will inadvertently visit the malicious site. The fraudulent sites were hosted on infrastructure distributed across multiple countries, making takedown efforts more challenging.

To increase the credibility of the fake sites, the attackers implemented Secure Sockets Layer (SSL) certificates, giving the appearance of secure, encrypted connections. The use of SSL certificates is a common tactic to build trust with potential victims, as many users associate the padlock icon in their browser with legitimacy. The sites also featured high-quality graphics, copied text, and booking forms that closely matched those of the legitimate brands.

Victims were lured to these sites through a combination of search engine optimization (SEO) poisoning, phishing emails, and malicious advertisements. SEO poisoning involves manipulating search engine rankings so that the fraudulent sites appear near the top of search results for hotel and travel bookings. Phishing emails were crafted to appear as legitimate booking confirmations or promotional offers, containing links that directed recipients to the fake sites.

Once a victim entered their payment information, the data was immediately harvested and transmitted to servers controlled by the attackers. In some cases, the sites displayed fake booking confirmations to delay suspicion and prolong the window for data theft. The stolen payment data was then monetized through underground forums, carding marketplaces, or used directly for fraudulent transactions.

The campaign demonstrates a high level of operational security and automation. The attackers rotated hosting providers, used privacy protection services to obscure domain ownership, and frequently updated site content to evade detection by security vendors and law enforcement. The scale and sophistication of the operation suggest the involvement of an organized cybercriminal group with significant resources and technical expertise.

Affected Versions & Timeline

The campaign targeted a wide range of hotel brands and travel agencies, with no specific software versions implicated. Instead, the attack vector was the impersonation of web platforms rather than exploitation of software vulnerabilities. The affected entities include global hotel chains, boutique hotels, and online travel agencies whose brands were spoofed by the attackers.

The timeline of the campaign began in early 2025, with the first wave of fraudulent sites detected in March 2025. The number of fake sites increased rapidly over the following months, peaking in May 2025. Security researchers and industry groups began issuing public warnings in June 2025, and efforts to take down the malicious domains are ongoing as of the time of this report.

Threat Activity

The threat actors behind this campaign demonstrated advanced capabilities in web development, automation, and social engineering. The creation of 4,300 fake sites required the use of automated domain registration tools and website cloning scripts. The attackers leveraged SSL certificates from free or low-cost providers to enhance the legitimacy of their sites.

The primary method of victim acquisition was through SEO poisoning, which manipulated search engine algorithms to rank the fake sites highly for popular hotel and travel booking keywords. This technique increased the likelihood that users searching for hotel reservations would encounter the fraudulent sites. In addition, targeted phishing campaigns were launched against previous hotel guests and loyalty program members, using data obtained from previous breaches or public sources.

Once a victim submitted their payment information, the data was exfiltrated in real time to attacker-controlled infrastructure. The attackers employed anti-detection measures, such as rotating IP addresses and using content delivery networks (CDNs) to mask the true location of their servers. The stolen data was quickly monetized through established cybercriminal channels.

The campaign also included attempts to bypass anti-fraud measures implemented by payment processors and banks. The attackers tested stolen card data using small transactions and employed techniques to avoid triggering automated fraud detection systems.

Mitigation & Workarounds

The most critical mitigation step is to increase user awareness of the prevalence of fake hotel and travel booking sites. Organizations in the hospitality sector should proactively communicate with customers about the risks of typosquatting and phishing, advising them to verify website URLs and avoid clicking on links in unsolicited emails.

High-priority technical controls include implementing domain monitoring services to detect and respond to the registration of lookalike domains. Hotels and travel agencies should work with their legal and security teams to initiate takedown requests for fraudulent sites as soon as they are identified.

Medium-priority recommendations involve enhancing website security by deploying Domain-based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) to prevent email spoofing. Organizations should also monitor for unusual spikes in web traffic or failed login attempts, which may indicate ongoing phishing or credential harvesting campaigns.

Low-priority actions include collaborating with industry groups and law enforcement to share threat intelligence and best practices. Regularly updating customer-facing websites with clear security guidance and contact information for reporting suspicious activity can also help reduce the impact of such campaigns.

References

Due to a technical limitation, primary source URLs and direct citations cannot be provided in this report. For further information, please consult reputable cybersecurity news outlets, industry threat intelligence reports, and official advisories from hotel and travel industry associations.

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform that enables organizations to continuously monitor and assess the security posture of their external partners and vendors. Our platform supports the identification of domain impersonation, phishing infrastructure, and other external threats relevant to the hospitality and travel sectors. For questions or further information, please contact us at ops@rescana.com.