A sophisticated phishing campaign has been targeting Booking.com partner accounts and hotel managers since at least April 2025. Attackers compromised hotel systems, harvested customer payment data, and then had the audacity to sell access to those compromised accounts on Russian-language forums for anywhere from $5 to $5,000. One user claiming the moniker “moderator_booking” allegedly bragged about $20 million in profits.
Here’s how the operation works: attackers send emails either from legitimately compromised hotel accounts or impersonating Booking.com itself. The message contains a link that redirects victims through a chain of redirects before deploying the so-called ClickFix social engineering tactic. Users see a fake popup claiming their browser or system has a security issue, and they need to click to fix it. Classic, reliable, and devastatingly effective.
Once the attackers have partner credentials, they contact hotel guests via email or WhatsApp, claiming there’s an issue with banking verification. Here’s where it gets clever: the messages include authentic booking details—room numbers, dates, guest names—harvested from the compromised hotel system. That authenticity is the hook. Victims get directed to fake Booking.com payment pages hosted behind Cloudflare protection and linked to Russian infrastructure. The pages mimic legitimate layouts well enough to fool most people into entering payment information.
The campaign’s reach is staggering. Sekoia.io researchers found hundreds of malicious domains active for several months as of October 2025, suggesting a resilient and highly profitable operation. The attackers have now expanded beyond Booking.com to include Agoda accounts. That’s not desperation; that’s proven success driving expansion.
What’s particularly twisted about this operation is that victims got double-victimized. They paid the hotel for their reservation, then got redirected to phishing sites and paid the cybercriminals again. As Sekoia researchers noted, “We assess with high confidence that the client who fell victim to this fraudulent scheme paid twice for his reservation: once at the hotel and once to the cybercriminal.”
This ties directly to the human-factor vulnerabilities I’ve emphasized throughout my security research. As discussed in my published work on behavioral factors in cybersecurity, training alone doesn’t fix the problem when attackers use authentic details to build credibility. The hospitality industry continues to be an attractive target because guest and employee data provides natural social engineering hooks.
The takeaway? When you receive emails claiming to be from Booking.com or your hotel, don’t click links in those emails. Go directly to the website by typing the URL yourself. Verify through a second channel. And if you’re running a hotel, assume your Booking.com account is already compromised. Change passwords, enable multi-factor authentication, and educate staff that legitimate Booking.com communications won’t demand urgent action through email links.
