Monday 06 July 2026 23:23:59 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Security Awareness & Social Engineering

“Ghost Guests and Phantom Portals: Inside the Booking.com Phishing Racket Stalking Hotels and Travelers”

Published: 18 February 2026 09:16Category: Security Awareness & Social EngineeringAuthor: LOGICFALCON

A cunning multi-stage phishing campaign exploits Booking.com partners, weaponizing stolen credentials to target unsuspecting guests in a sweeping fraud operation.

It starts with a complaint that never existed. A hotel staffer, rushing through a sea of emails, clicks a message disguised as Booking.com correspondence-unaware that a sophisticated criminal syndicate is already two steps ahead. By the time the real guests are contacted via WhatsApp, the scammers have infiltrated the hotel’s system, grabbed live reservation details, and are poised to pounce, demanding urgent payments from travelers who believe they’re speaking to the real Booking.com. Welcome to the new face of phishing: smarter, stealthier, and disturbingly personal.

The Anatomy of a Booking.com Breach

The campaign unfolds in three calculated stages. First, attackers send highly convincing emails to hotel partners, posing as Booking.com with urgent messages about room availability or guest complaints. These emails originate from carefully crafted Gmail accounts and embed links that, at a glance, appear legitimate-right down to using Cyrillic “о” instead of the Latin “o” in “booking,” a trick designed to slip past both human and automated defenses.

Clicking these links leads hotel staff to a near-perfect replica of the Booking.com partner portal. Here, a specialized phishing kit harvests login credentials, using everything from granular HTML mimicry to decoy hotel cleaning company websites to avoid detection. The infrastructure is agile-domains are newly registered, packed with typos and hyphens, and rigged to fingerprint visitors, ensuring only intended targets see the actual phishing portal.

With partner logins compromised, phase two begins. Attackers access genuine booking records and pivot to the guests themselves. Travelers then receive WhatsApp messages-often from verified-looking business accounts-containing real reservation details and a stern 24-hour deadline to pay or risk losing their booking. The links in these messages funnel users to another phishing kit, this time optimized to capture payment data and protected behind Cloudflare CAPTCHAs for added legitimacy.

Unlike earlier attacks that used generic malware, this campaign’s infrastructure is custom-built, with code littered with Russian-language comments and domains registered through privacy-focused registrars. Investigators have dubbed this operation BR-UNC-030, tracking its evolution from simple email lures to a full-blown, multi-stage fraud machine targeting both the hospitality industry and its customers.

The Broader Threat

This campaign marks a chilling escalation in cybercrime targeting the travel sector. By exploiting trust between hotels and their guests, attackers have blurred the line between digital deception and real-world consequences. As phishing kits become more advanced and social engineering more believable, vigilance is no longer optional-it’s a survival skill for both businesses and travelers.

WIKICROOK

  • Phishing Kit: A phishing kit is a set of ready-made tools that allows criminals to quickly create fake websites and steal sensitive user information.
  • Homograph Attack: A homograph attack uses lookalike characters to mimic trusted names or domains, tricking users into interacting with malicious content.
  • Typosquatting: Typosquatting is when attackers use lookalike names of trusted sites or software to trick users into visiting fake sites or downloading malware.
  • Credential Harvesting: Credential harvesting is the theft of login details, such as usernames and passwords, often through fake websites or deceptive emails.
  • Ghost: Ghost involves using cloned or unauthorized devices to impersonate trusted messaging services, tricking users into sharing sensitive data or performing malicious actions.