Full Report
Customer data from more than 350 hotels around the world may have been accessed as part of realistic reservation-hijacking scams.
Analysis Summary
# Incident Report: Global Hotel Reservation Hijacking Campaign
## Executive Summary
Multiple cybercriminal groups are utilizing legitimate customer booking data stolen from over 350 hotels to launch highly targeted "reservation-hijacking" spear-phishing attacks. By weaponizing real check-in dates and guest names, attackers trick travelers into providing credit card details via fraudulent verification pages. The campaign primarily targets small-to-medium-sized hotels across 50 countries, with significant clusters in Europe and the United States.
## Incident Details
- **Discovery Date:** December 2025 (Initial investigation by Gen/Norton)
- **Incident Date:** Ongoing (Reported May 2026)
- **Affected Organization:** 350+ hotels (including those using CloudBeds and Booking.com platforms)
- **Sector:** Hospitality and Tourism
- **Geography:** Global (Primarily Germany, France, UK, Italy, Spain, and the US)
## Timeline of Events
### Initial Access
- **Date/Time:** Late 2025 – Early 2026
- **Vector:** Spear-phishing and Malware-laced files
- **Details:** Attackers target hotel staff with malware-laced emails or phishing lures to steal login credentials for internal Property Management Systems (PMS) or third-party booking portals (e.g., Booking.com, CloudBeds).
### Lateral Movement
- **Details:** Attackers pivot from compromised staff credentials to access guest databases, reservation manifests, and communication modules within booking platforms.
### Data Exfiltration/Impact
- **Details:** Sensitive guest data—including full names, booking dates, hotel names, and reservation prices—is harvested to fuel secondary attacks against the customers.
### Detection & Response
- **Detection:** Discovered by Norton researchers after identifying a highly realistic WhatsApp phishing lure in December.
- **Response:** Notification of law enforcement (Europol) and affected booking platforms; ongoing strengthening of defenses by third-party aggregators.
## Attack Methodology
- **Initial Access:** Phishing/Smishing targeting hotel employees; Social Engineering.
- **Persistence:** Compromised legitimate administrative credentials for booking portals.
- **Defense Evasion:** Use of legitimate communication channels (WhatsApp, SMS, Email) and authentic booking details to bypass victim suspicion.
- **Credential Access:** Theft of hotel staff logins through info-stealing malware or phishing sites.
- **Discovery:** Inventorying guest reservations and scheduled stay dates.
- **Collection:** Gathering specific PII (Personally Identifiable Information) related to upcoming stays.
- **Exfiltration:** Automated harvesting of guest data through "phishing-as-a-service" kits.
- **Impact:** Financial theft from guests via fake payment/verification flows featuring real-time chatbots.
## Impact Assessment
- **Financial:** High potential for direct theft from guests; part of a broader trend where phishing cost US victims $200M+ annually.
- **Data Breach:** Compromise of PII for guests across facilities with a combined capacity of ~80,000 people.
- **Operational:** Disruption of hotel-customer trust; necessity for hotels to reset credentials and audit systems.
- **Reputational:** Significant damage to small-to-medium hotel brands and third-party booking intermediaries.
## Indicators of Compromise
- **Network:** `booking[.]com` lookalike domains (e.g., `booking-check-auth[.]com`).
- **File:** Malware-laced email attachments sent to hotel administrative staff.
- **Behavioral:** High volumes of WhatsApp/SMS messages originating from non-official accounts claiming to be hotel management or Booking.com.
## Response Actions
- **Containment:** Cooperation with Europol to take down malicious infrastructure.
- **Eradication:** Revoking compromised hotel staff credentials on platforms like Booking.com and CloudBeds.
- **Recovery:** Implementing enhanced security modes and multi-factor authentication (MFA) for travel partner accounts.
## Lessons Learned
- **Context is King:** Attackers are moving away from generic lures toward "highly contextual" phishing where they use stolen legitimate data to prove their "authenticity."
- **Small Business Vulnerability:** SMB hotels are a weak link in the global travel supply chain as they often lack dedicated IT security staff.
- **Supply Chain Risk:** A compromise of a single hotel management system can lead to the exploitation of thousands of individual customers.
## Recommendations
- **For Hotels:** Implement mandatory Multi-Factor Authentication (MFA) for all booking portal logins and provide anti-phishing training for front-desk staff.
- **For Travelers:** Never provide payment information via WhatsApp or SMS. Always verify payment requests by calling the hotel directly or using the official mobile app.
- **For Industry:** Implement "DMARC" and verified sender protocols for guest communications to help customers distinguish between real and fake messages.