editorially independent. We may make money when you click on links
to our partners.
Learn More
A new phishing campaign is exploiting trust in Booking[.]com to steal credentials from hotel partners and then defraud unsuspecting travelers.
The multi-stage operation begins with convincing “complaint” emails sent to hotel staff and can end with fraudulent payment requests sent directly to guests via WhatsApp.
“The primary motivation driving this incident is financial fraud, targeting two victims: hotel businesses and hotel customers, in sequential order,” said Bridewell researchers.
For hotels and travel operators, this campaign represents more than a routine phishing attempt — it is a structured, multi-stage fraud operation designed to compromise trusted partner accounts and then exploit customer relationships.
By first gaining access to legitimate Booking[.]com partner portals, attackers obtain real reservation data that can later be used to target guests.
The campaign unfolds in three stages:
Stage One: Phishing Email Delivery
The operation begins with phishing emails sent to hotel reservation or support inboxes.
These messages typically reference a guest complaint, booking issue, or room inquiry and urge staff to click a link to review the matter.
While the link appears legitimate in the email body, it redirects recipients to attacker-controlled infrastructure.
Messaging is crafted to resemble standard Booking[.]com communications, increasing the likelihood that busy staff will engage without verifying the source.
Stage Two: Partner Credential Theft and Account Takeover
Once a hotel employee clicks the link, they are directed to a fake Booking[.]com partner login page.
Attackers use look-alike domains and redirect chains to closely mimic authentic workflows.
In some cases, the campaign employs an internationalized domain name (IDN) homograph technique, substituting a Cyrillic character into the word “booking” to create a visually convincing but malicious domain.
URLs also include parameters such as complaint?optoken= to reinforce the appearance of legitimacy.
The phishing kit harvests credentials entered into the counterfeit portal, which attackers then use to access real Booking[.]com partner accounts.
Researchers also observed built-in defense evasion measures. The hosting infrastructure fingerprints visitors and performs validation checks before displaying the phishing page.
If certain conditions are not met, the site presents benign decoy content — such as unrelated hotel cleaning websites — to avoid detection.
When checks pass, victims are routed to a fraudulent sign-in page hosted on a deceptive bookling subdomain with tokenized login paths that replaces the letter “i” in booking with the letter “l.”
Stage Three: Guest-Targeted Payment Fraud
After successfully compromising partner accounts, attackers pivot to customers.
Using legitimate booking details obtained from the hijacked accounts, they send convincing WhatsApp messages to guests that reference real reservation information and create urgency around payment verification or issue resolution.
Victims are often routed through a Cloudflare CAPTCHA page before being redirected to a Booking[.]com look-alike payment portal.
This additional step enhances the perception of authenticity. Once on the spoofed payment page, guests may unknowingly submit payment card information and other sensitive data, which attackers can then use for financial fraud.
The campaign is active in the wild and researchers noted it used a similar customer phishing kit and delivery method via WhatsApp as the I Paid Twice campaign.
Reducing Risk from Phishing
Hotels and travel organizations should take proactive steps to reduce the risk of account takeover and downstream guest fraud.
Because this campaign relies on compromised partner credentials rather than a software flaw, strengthening identity and access controls is critical.
- Enforce MFA on all Booking[.]com partner accounts and implement conditional access controls to limit high-risk or anomalous logins.
- Apply least privilege principles by restricting portal access, segmenting reservation and payment functions, and limiting exposure of sensitive booking and financial data.
- Strengthen email security by tightening filtering rules, blocking newly registered look-alike domains, and training staff to treat complaint-themed messages and urgent booking links as high risk.
- Monitor for account takeover indicators, including unusual sign-ins, password resets, unlikely travel activity, and suspicious outbound guest communications.
- Restrict portal access to managed or compliant devices and disable legacy authentication methods that could bypass modern security controls.
- Establish clear policies that prohibit sending payment links through chat apps and require guest payment verification through official Booking[.]com channels only.
- Regularly test and update incident response plans to ensure rapid detection, containment, and communication if a partner account is compromised.
Together, these measures can help reduce partner account compromise and limit the potential blast radius of multi-stage fraud campaigns that target both hotels and their guests.
AI-Powered Phishing Risk
This campaign demonstrates how attackers can leverage trusted business relationships to expand financial fraud operations.
By compromising hotel partner accounts, they gain access to legitimate booking data, which makes subsequent customer-facing scams more believable. The broader takeaway is that brand recognition does not prevent credential-based attacks.
As phishing campaigns increasingly use AI-generated messaging and realistic brand impersonation, malicious emails and chat messages are becoming harder for employees to distinguish from legitimate communications.
Well-crafted language, accurate contextual details, and automated personalization reduce many of the traditional red flags staff once relied on.
As AI-driven deception expands beyond just phishing emails, organizations are turning to deepfake detection tools to counter synthetic voice and video impersonation.
