A large-scale phishing campaign targeted Oracle Hospitality through malicious search engine advertisements (malvertising), impersonating its services to deceive users. Victims were redirected to typosquatted domains mimicking legitimate login pages, harvesting credentials, email addresses, phone numbers, and passwords. The attackers bypassed multi-factor authentication (MFA) by capturing real-time one-time passwords (OTP) via SMS or email codes, gaining unauthorized access to cloud-based property management systems.The breach exposed sensitive guest data, including personal information and payment details, stored in these platforms. Technical analysis revealed Russian-speaking threat actors behind the operation, using sophisticated beaconing techniques to track victims’ geolocation, session duration, and engagement. The campaign posed significant risks to Oracle Hospitality’s operational integrity, customer trust, and financial security, with potential downstream impacts on booking systems and guest privacy.Security researchers highlighted the need for phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn) and adaptive risk assessments to mitigate future threats. The incident underscores the growing sophistication of industry-specific cyberattacks targeting hospitality providers.
Source: https://cyberpress.org/hotel-phishing-attack/
TPRM report: https://www.rankiteo.com/company/oracle
"id": "ora805090225",
"linkid": "oracle",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'hospitality',
'location': 'global',
'name': 'Oracle Hospitality',
'size': 'large enterprise',
'type': 'technology provider'},
{'industry': 'hospitality',
'location': 'global',
'name': 'Airbnb',
'size': 'large enterprise',
'type': 'vacation rental platform'},
{'industry': 'hospitality',
'location': 'global',
'name': 'Unnamed hotel and vacation rental providers '
'(11+ others)',
'type': ['hotel chains',
'property management companies',
'vacation rental services']}],
'attack_vector': ['malicious advertisements (malvertising)',
'typosquatted domains',
'fake login pages',
'social engineering'],
'customer_advisories': ['avoid clicking on sponsored search ads for '
'hospitality services',
'verify URLs before entering credentials',
'report suspicious login pages'],
'data_breach': {'data_exfiltration': ['likely (credentials sold on dark web)'],
'personally_identifiable_information': ['names',
'email addresses',
'phone numbers',
'potential payment '
'card data'],
'sensitivity_of_data': ['high (financial and personal '
'identifiable information)'],
'type_of_data_compromised': ['credentials (usernames, '
'passwords)',
'PII (email addresses, phone '
'numbers)',
'guest data',
'payment information',
'booking details']},
'description': 'A sophisticated phishing campaign is targeting the '
'hospitality industry through malicious search engine '
'advertisements (malvertising). Cybercriminals impersonate at '
'least thirteen hotel and vacation rental service providers '
'(including Oracle Hospitality and Airbnb) to steal '
'credentials and breach cloud-based property management '
'systems. The operation employs typosquatted domains, fake '
'login pages, and advanced tactics to bypass multi-factor '
'authentication (MFA), including real-time capture of one-time '
'passwords (OTP) and SMS/email codes. Technical analysis '
'suggests Russian-speaking threat actors, with infrastructure '
'leveraging Russian datacenter proxies and beaconing '
'techniques for victim tracking. The campaign poses '
'significant risks to guest data, payment information, and '
'operational systems across the sector.',
'impact': {'brand_reputation_impact': ['high (due to impersonation of major '
'brands like Oracle Hospitality and '
'Airbnb)'],
'data_compromised': ['guest personal information',
'payment data',
'booking system credentials',
'operational data'],
'identity_theft_risk': ['high (guest PII and payment data '
'exposed)'],
'operational_impact': ['potential unauthorized access to booking '
'systems',
'reputation damage',
'customer trust erosion'],
'payment_information_risk': ['high (credit card details and '
'transaction data at risk)'],
'systems_affected': ['cloud-based property management systems',
'guest messaging platforms',
'authentication systems']},
'initial_access_broker': {'data_sold_on_dark_web': ['stolen credentials',
'guest PII'],
'entry_point': ['malvertising (malicious search '
'engine ads)',
'typosquatted domains'],
'high_value_targets': ['cloud-based property '
'management systems',
'guest messaging platforms',
'payment processing '
'systems']},
'investigation_status': 'ongoing (active campaign)',
'lessons_learned': ['Malvertising is an effective initial access vector for '
'targeted phishing campaigns.',
'MFA bypass techniques (e.g., real-time OTP capture) '
'undermine traditional authentication methods.',
'Typosquatted domains and convincing phishing pages can '
'evade user scrutiny.',
'Russian-speaking threat actors continue to leverage '
'proxy infrastructure for anonymity.',
'Hospitality industry is a high-value target due to '
'sensitive guest data and payment systems.'],
'motivation': ['financial gain',
'data theft',
'fraud (e.g., unauthorized bookings)',
'sale of credentials on dark web'],
'post_incident_analysis': {'corrective_actions': ['Replace SMS/email-based '
'MFA with '
'phishing-resistant '
'alternatives.',
'Proactively register '
'defensive domains to '
'prevent typosquatting.',
'Enhance threat '
'intelligence sharing '
'within the hospitality '
'sector.',
'Deploy solutions to detect '
'and block malicious ads in '
'search results.'],
'root_causes': ['Over-reliance on traditional MFA '
'methods vulnerable to real-time '
'phishing.',
'Lack of visibility into '
'malvertising campaigns targeting '
'brand impersonation.',
'Insufficient monitoring for '
'typosquatted domains and '
'beaconing activity.']},
'recommendations': ['Adopt phishing-resistant authentication (e.g., passkeys, '
'FIDO2 WebAuthn).',
'Implement adaptive risk assessments to detect anomalous '
'access patterns.',
'Monitor for suspicious domain registrations (e.g., '
'typosquatting).',
'Educate employees and customers about malvertising and '
'phishing risks.',
'Deploy behavioral analytics to detect beaconing and '
'tracking scripts.',
'Restrict access to property management systems with '
'zero-trust principles.',
'Collaborate with threat intelligence providers (e.g., '
'Okta) for IOCs.'],
'references': [{'source': 'Okta Threat Intelligence (contributor: Moussa '
'Diallo)'}],
'response': {'communication_strategy': ['customer advisories about '
'impersonation attempts',
'industry-wide alerts'],
'containment_measures': ['monitoring for suspicious domain '
'registrations',
'blocking known malicious domains'],
'enhanced_monitoring': ['real-time tracking of typosquatted '
'domains',
'beaconing detection'],
'remediation_measures': ['implementation of phishing-resistant '
'authentication (e.g., passkeys, FIDO2 '
'WebAuthn)',
'adaptive risk assessments for unusual '
'access patterns'],
'third_party_assistance': ['Okta Threat Intelligence (analysis '
'by Moussa Diallo)']},
'stakeholder_advisories': ['warn customers about impersonation attempts',
'share indicators of compromise (IOCs) with '
'industry peers'],
'threat_actor': ['Russian-speaking cybercriminals',
'unknown APT/group (potential initial access brokers)'],
'title': 'Large-Scale Phishing Operation Targeting Hospitality Industry via '
'Malvertising',
'type': ['phishing', 'malvertising', 'credential harvesting', 'MFA bypass'],
'vulnerability_exploited': ['human trust in search engine ads',
'lack of phishing-resistant authentication',
'weak MFA implementations']}