A large-scale phishing campaign orchestrated by Russian threat actors has targeted **Booking.com** since February, involving the registration of over **4,300 fraudulent domains** mimicking legitimate booking and rental platforms like Expedia and Agoda. The attack specifically aimed to deceive hotel guests into divulging their **payment details**, including credit card information, bank account credentials, and personal identification data. By impersonating trusted booking services, the threat actors exploited user trust to harvest sensitive financial information, leading to potential **fraudulent transactions, identity theft, and financial losses** for affected customers. The scale of the operation suggests a systematic effort to compromise a high volume of users, leveraging social engineering tactics to bypass traditional security measures. While the exact number of victims remains undisclosed, the prolonged duration of the campaign (since February) indicates a sustained and evolving threat, with potential long-term reputational damage to Booking.com due to eroded customer confidence in its platform’s security.
Source: https://www.scworld.com/brief/fake-clinics-used-in-healthcare-phishing-scam
Booking.com cybersecurity rating report: https://www.rankiteo.com/company/booking.com
"id": "BOO2764127111725",
"linkid": "booking.com",
"type": "Cyber Attack",
"date": "2/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'travel/booking services',
'location': 'global',
'name': 'Booking.com',
'type': 'company'},
{'industry': 'travel/booking services',
'location': 'global',
'name': 'Expedia',
'type': 'company'},
{'industry': 'travel/booking services',
'location': 'global',
'name': 'Agoda',
'type': 'company'},
{'location': 'global',
'name': 'Hotel guests (unspecified hotels)',
'type': 'individuals'}],
'attack_vector': ['malicious domain registration',
'social engineering',
'phishing emails/websites'],
'data_breach': {'data_exfiltration': ['likely (payment details stolen)'],
'personally_identifiable_information': ['potentially (linked '
'to payment details)'],
'sensitivity_of_data': ['high'],
'type_of_data_compromised': ['payment details']},
'date_publicly_disclosed': '2025-11-14',
'description': 'More than 4,300 domains have been registered by Russian '
'threat actors to impersonate widely known booking and rental '
'services, such as Booking.com, Expedia, and Agoda, as part of '
"a phishing campaign that has sought to pilfer hotel guests' "
'payment details since February 2025.',
'impact': {'brand_reputation_impact': ['potential reputational damage to '
'Booking.com, Expedia, Agoda, and '
'other impersonated brands'],
'data_compromised': ['payment details'],
'identity_theft_risk': ['high (due to stolen payment details)'],
'payment_information_risk': ['high (primary target of the '
'campaign)']},
'initial_access_broker': {'data_sold_on_dark_web': ['likely (stolen payment '
'details)'],
'entry_point': ['phishing domains impersonating '
'booking services'],
'high_value_targets': ["hotel guests' payment "
'details'],
'reconnaissance_period': ['since at least February '
'2025']},
'investigation_status': 'ongoing (as of disclosure date)',
'motivation': ['financial gain', 'theft of payment details'],
'references': [{'date_accessed': '2025-11-14', 'source': 'The Hacker News'}],
'threat_actor': ['Russian threat actors'],
'title': 'Phishing Campaign Targeting Booking and Rental Services by Russian '
'Threat Actors',
'type': ['phishing', 'fraud', 'domain spoofing']}