Phishing Campaign Exploits Ads to Breach Hotel Property Management Systems

A sophisticated malvertising campaign has emerged that specifically targets hoteliers and vacation rental operators by impersonating well-known service providers.

Okta Threat Intelligence reports that attackers have used malicious search engine advertisements—particularly sponsored ads on Google Search—to lure unsuspecting hospitality professionals to counterfeit login portals.

The ultimate goal: harvesting credentials for cloud-based property management and guest messaging platforms.

Beginning in mid-2025, researchers observed attackers purchasing sponsored ad placements for at least thirteen reputable hospitality and vacation-rental technology vendors.

When users search for one of these vendors by name, the top sponsored results direct them to look-alike domains that leverage typosquatting variations of legitimate URLs.

Once on the fake site, victims encounter highly convincing replica login pages requesting their corporate email, password, and even phone number.

These malicious ads appeared above the genuine vendor domains in search results, capitalizing on users’ habit of clicking the top links.

Examples include two distinct fake sites promoted above the genuine pages of well-known property management systems.

Oracle Hospitality was among the targeted vendors, with attackers spinning up phishing domains that mirrored Oracle’s branding.

Credential Harvesting and MFA Bypass

The first stage of this campaign focuses squarely on credential harvesting. Fake login forms are engineered not only to capture standard account details but also to phish multi-factor authentication (MFA) codes.

Some phishing pages explicitly prompt for a “One-time password,” while others offer “Sign in with SMS Code” or “Email Code” options immediately after a password submission.

Victims who enter their phone numbers are then prompted to provide one-time SMS codes, enabling attackers to bypass MFA protections.

Further analysis of the phishing sites’ source code revealed a JavaScript beaconing function:

xml

The Russian-language error message (“Ошибка запроса,” meaning “Request error”) and comment (“Запускаем запрос каждые 10 секунд,” meaning “We start the request every 10 seconds”) suggest potential ties to Russian-speaking threat actors.

Okta has also observed the use of a Russian datacenter proxy provider during the attackers’ sign-in attempts.

Beaconing for Real-Time Victim Analytics

In addition to credential capture, the phishing pages employ beaconing techniques to harvest real-time analytics on victims. Data points include:

• Visitor metrics and session duration.
• Geolocation details.
• Bot-activity detection.
• Status monitoring for phishing-page uptime.

This intelligence enables attackers to refine their social engineering lures, target specific geographies or network environments, and ensure their phishing pages remain undetected by automated defenses.

At least a dozen hospitality technology providers have been impersonated in this campaign. Given the critical role of cloud-based property management and guest communication platforms in daily hotel operations, successful compromise of these accounts can yield unauthorized access to reservations, guest data, and financial information.

Threat actors may exploit stolen credentials to manipulate bookings, intercept guest communications, or deploy ransomware tailored to hospitality environments.

Mitigations

Okta urges affected organizations and their partners to adopt the following controls:

1. Phishing-Resistant Authenticators
   Enroll all customers and partners in strong, possession-based authenticators such as passkeys (FIDO2/WebAuthn), Okta FastPass, or smart cards. Enforce phishing-resistance policies for high-risk applications.
2. Adaptive Risk Assessments
   Deny or require elevated authentication for access attempts originating from rarely-used IP ranges or geographies. Automate anomaly detection to flag deviations from normal user activity.
3. Domain Monitoring and Takedowns
   Continuously scan for suspicious domain registrations that mimic your brand. Review hosting content for intellectual property infringement and issue takedown requests when necessary.
4. User Awareness and Notifications
   Warn users about emerging malvertising threats targeting your organization. Immediately notify end users if suspicious login attempts or credential-phishing activity is detected on their accounts.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.