A Russian-speaking threat actor has orchestrated an extensive phishing campaign that has registered over 4,300 malicious domains targeting travelers since the beginning of 2025.
The sophisticated operation customizes phishing pages to impersonate legitimate travel industry giants including Airbnb, Booking.com, Expedia, and Agoda, deceiving unsuspecting users into surrendering payment card information under the guise of hotel reservation confirmations.
The attack notes with targeted malspam emails claiming to confirm hotel reservations, prompting recipients to click links that ostensibly lead to booking websites.
However, these links redirect users through multiple intermediary sites sometimes via abandoned domains or free blogging platforms before landing on the phishing page. This obfuscation technique aims to evade security filters and complicate attribution.
The phishing kit demonstrates remarkable technical sophistication. It uses a unique identifier system, “AD_CODE,” embedded in URLs to customize the page’s branding based on visitor preferences.
The same phishing domain can impersonate multiple legitimate travel brands depending on which AD_CODE value appears in the URL. Visitors accessing the site without a valid AD_CODE encounter a blank page or error message, preventing security researchers and unauthorized users from easily discovering the scam.
Global Reach and Language Support
The campaign exhibits comprehensive international targeting, with phishing pages translated into 43 different languages. This multilingual approach enables the threat actor to cast a vast net, targeting travelers worldwide.
The pages include fake “online help chat” windows and bogus CAPTCHAs spoofing Cloudflare branding design elements specifically chosen to increase legitimacy and manipulate targets into completing the fraudulent transaction.
Analysis reveals consistent naming conventions across the malicious domains, incorporating travel-related keywords like “verification,” “confirmation,” “booking,” “cardverify,” and “guestverify.” Of the 4,344 identified domains, 685 contain “Booking,” 18 reference “Expedia,” 13 mention “Agoda,” and 12 invoke “Airbnb.”
Notably, the threat actor has registered specific domains impersonating boutique hotels worldwide, including properties in Nepal, Germany, Greece, Spain, and Brazil.
The registration pace is staggering typically 10 to 65 domains weekly, with an extraordinary spike on March 20, 2025, when the attacker registered at least 511 domains in a single day.
The threat actor predominantly uses four registrars: WebNIC, Public Domain Registry, Atak Domain Bilgi Teknolojileri A.S., and MAT BAO Corporation, alongside specialized TLDs including .world, .sale, and .help.
Technical Implementation and Data Harvesting
Once on the phishing page, visitors encounter forms requesting payment card details including cardholder names, card numbers, CVVs, and expiration dates.
One early version of the phishing page displays the name “Hotel Palazzo Argenta” overlaid on an image that reads “Verification In Progress” displayed in the wrong aspect ratio, as well as a “check in” and “check out” date.
The pages perform Luhn validation to verify card formatting before attempting background transactions. Concurrently, a fabricated support chat window displays instructions encouraging victims to provide payment information as an “extra measure” against fake bookings.
This linguistic fingerprint, combined with the technical sophistication and scale of operations, strongly suggests Russian-speaking cybercriminals orchestrating this campaign, likely marketing the customizable phishing kit to other threat actors within criminal forums.
Using the same AD_CODE number on different sites within the cluster of phishing domains that were still operational at the time of testing resulted in the same brand impersonation appearing on all the sites.
Behind the scenes, the phishing infrastructure continuously polls the web server, transmitting real-time updates on user keystrokes, submitted card data, and chat interactions demonstrating a data harvesting mechanism designed for maximum information extraction.
Russian language comments and debug output permeate the phishing kit’s source code, with HTML extensively commented in Russian.
This campaign represents a formidable threat to travelers globally, combining technical sophistication with psychological manipulation to compromise financial information at scale.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.