Full Report
A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year. The activity, per Netcraft security researcher Andrew Brandt, is designed to target customers of the hospitality industry, specifically hotel guests who may have travel reservations with spam emails. The campaign is said to have begun in earnest around
Analysis Summary
# Threat Actor: Unknown Russian-Speaking Phishing Operator
## Attribution & Identity
* **Identification:** A Russian-speaking threat actor.
* **Aliases/Groups:** Identity remains unknown. However, the use of Russian language source code comments suggests either Russian provenance or the actor is marketing the phishing kit to Russian-speaking customers.
* **Known Associations:** Potentially linked to a campaign highlighted by Sekoia targeting the hospitality industry with ClickFix-style pages, based on matching domain naming patterns (e.g., `guestverifiy...`).
## Activity Summary
The actor is behind an ongoing, mass phishing campaign that began in earnest around February 2025. The primary goal is the large-scale harvesting of payment data from hotel guests. Since the start of the year, the operation has registered over 4,300 malicious domain names.
## Tactics, Techniques & Procedures
* **Mass Domain Registration:** Registered over 4,300 domains explicitly designed for phishing.
* **Sophisticated Dynamic Phishing Kit:** Utilizes a phishing kit that customizes the displayed page based on a unique string (`AD_CODE`) present in the URL path.
* **Impersonation and Branding:** Customizes the fake sites using logos from major online travel industry brands (e.g., Booking.com, Airbnb).
* **URL Structure Observation:** Domains consistently feature pattern keywords like `confirmation`, `booking`, `guestcheck`, `cardverify`, or `reservation`.
* **Steering Traffic/Persistence:** The `AD_CODE` value is written to a cookie upon initial visit using this code, ensuring subsequent pages maintain the same impersonated branding illusion.
* **Linguistic Diversity:** Pages support 43 different languages to maximize reach.
* **Evasion/Deception:** Implements a fake CAPTCHA check mimicking Cloudflare for deception.
* **Payment Elicitation:** Directs victims to enter credit card details (including CVV) under the guise of paying a deposit.
* **Secondary Scam:** After card details are entered, a fake "support chat" appears, instructing the victim on completing a fake "3D Secure verification."
* **Internal Indicators:** Source code comments and debugger output were found in Russian.
* **Access Control:** Direct access to the phishing page without the unique identifier (`AD_CODE`) results in a blank page.
## Targeting
* **Sectors:** Hospitality industry.
* **Geography:** Global reach implied by support for 43 languages.
* **Victims:** Customers/guests with travel reservations, specifically targeting users of major booking platforms.
* Domains impersonated suggest targeting customers of: Booking (685 domains), Expedia (18 domains), Agoda (13 domains), and Airbnb (12 domains).
## Tools & Infrastructure
* **Malware Families Used:** None explicitly identified in this article for this specific campaign, though the related campaign mentioned utilized PureRAT.
* **Infrastructure (C2, domains, IPs):**
* Infrastructure consists of over 4,300 registered domains targeting hospitality reservations. (No IP addresses were explicitly provided in the summary context.)
## Implications
This represents a highly organized, financially motivated campaign focused on mass consumer financial data theft within a specific high-value vertical (travel/hospitality). The utilization of a dynamic, customizable phishing kit indicates a professional, scalable operation capable of rapidly pivoting and adapting branding based on the compromised platform implied in the URL.
## Mitigations
* Educate customers to only use official application interfaces or known, verified secure links for confirming or modifying reservations, especially when asked to provide payment details via email links.
* Security teams should monitor for domains mimicking major Online Travel Agencies (OTAs) like Booking.com or Airbnb, especially domains containing reservation or verification keywords.
* Implement network protections to flag redirects from emails leading to domains with unusually high registration velocity or brand mixture.