New Large-Scale Phishing Attacks Targets Hotelier Via Ads to Gain Access to Property Management Tools

A novel phishing campaign emerged in late August 2025 that specifically targeted hoteliers and vacation rental managers through malicious search engine advertisements.

Rather than relying on mass email blasts or social media lures, attackers purchased sponsored ads on platforms such as Google Search, typosquatting legitimate service providers’ names to redirect unsuspecting users.

By mimicking brands like SiteMinder and RoomRaccoon, the adversaries ensured that their malicious domains appeared above authentic listings, dramatically increasing the likelihood of victim engagement.

Once a victim clicked on a sponsored link, they were presented with highly convincing fake login portals.

These pages replicated the exact look and feel of established property management and guest messaging platforms, complete with corporate logos, form fields for usernames, passwords, and even multi-factor authentication prompts.

The attackers went so far as to implement social engineering techniques that coaxed users into divulging one-time passwords sent via SMS or email.

By harvesting not only static credentials but dynamic OTP codes, the campaign was engineered for maximal account takeover potential.

okta Security analysts identified this campaign after observing a sudden spike in outbound traffic from a large Russian datacenter proxy provider to multiple hospitality domains.

Analysis of phishing page source code revealed Russian-language comments and error messages such as “Ошибка запроса” (“Request error”), indicating possible ties to Russian-speaking threat actors.

Moreover, the phishing sites employed JavaScript beaconing scripts to track visitor interactions in real time, collecting geolocation data, session duration, and bot-detection metrics.

Beyond the initial credential harvesting phase, the attackers demonstrated sophisticated persistence tactics. By integrating beaconing functions, they were able to monitor whether victims entered correct credentials and OTPs. A simplified version of their JavaScript beaconing mechanism appears below:

function sendRequest() {
    fetch("/mksd95jld43").catch(error => console.error("Ошибка запроса"));
}
// Запускаем запрос каждые 10 секунд
setInterval(sendRequest, 10000);

This looped request every ten seconds, ensuring continuous data exfiltration whenever victims interacted with the phishing pages.

Infection Mechanism

Delving deeper into the infection mechanism, the campaign’s reliance on malvertising sets it apart from traditional phishing operations.

Rather than exploiting browser vulnerabilities directly, the attackers weaponized search engine advertising to poison the user’s journey from the outset.

By bidding on high-value keywords—often the exact names of hospitality platforms—the malicious ads appeared alongside or above genuine results.

Victims searching for “SiteMinder login” or “RoomRaccoon channel manager” would instead encounter URLs like siteminder.live and rocmracooon.cfd, both of which were visually indistinguishable from legitimate domains.

Upon landing, the phishing pages initiated the JavaScript beacon to confirm victim presence and to capture responses to form fields.

The code forced periodic outbound connections to command-and-control endpoints, ensuring that credentials and OTPs were relayed immediately.

In addition, the attackers engineered the login forms to accept multiple MFA methods—SMS, email, and authenticator apps—thereby maximizing their chances of bypassing any single factor of defense.

Detection of this infection mechanism requires vigilant monitoring of ad campaigns and domain registrations.

Organizations should implement adaptive risk assessments to flag sudden requests from unfamiliar networks and promptly investigate any deviations from normal user activity.

By combining threat intelligence with real-time monitoring of ad ecosystems, defenders can disrupt this sophisticated malvertising-driven phishing strategy before it compromises critical hotel management infrastructure.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.