New Phishing Campaign Exploits Booking.com Partners, Targets Customers in Multi-Stage Fraud Scheme

The travel‑booking ecosystem has become a lucrative target for cybercriminals, and the latest Booking.com partner phishing campaign illustrates how attackers are chaining multiple vectors to maximize profit. By first infiltrating hotel reservation and service‑desk mailboxes, the actors obtain privileged credentials that grant them real‑time access to booking databases. This access enables a second wave of social engineering, where victims receive WhatsApp messages that appear to come from verified hotel accounts, complete with authentic reservation details and urgent payment prompts.

Technical sophistication underpins the campaign’s success. Threat actors deploy IDN homograph tricks—substituting Cyrillic characters for Latin ones—and typosquatted domains that closely resemble Booking.com’s branding. Their phishing kits replicate the partner login portal down to individual HTML elements, employing fingerprinting techniques such as WebGL checks to filter out security researchers. Unlike earlier variants that relied on generic malware like PureRAT, this operation uses custom-built phishing infrastructure, hosted on newly registered .com domains and protected by Cloudflare CAPTCHAs, making detection and takedown more challenging.

For hotels and the broader hospitality sector, the breach signals a pressing need to harden partner authentication and monitor outbound communications. Multi‑factor authentication, domain‑based message authentication reporting (DMARC) enforcement, and employee phishing awareness training can mitigate credential theft. Moreover, guests should be educated to verify payment requests through official channels rather than unsolicited messaging apps. As cybercriminals continue to refine supply‑chain attacks, industry stakeholders must adopt a layered defense strategy to protect both business partners and end‑users from evolving fraud schemes.