A vast phishing campaign is targeting travelers globally, utilizing over 4,300 newly created malicious domains to pilfer payment card details. The operation systematically impersonates well-known travel brands to dupe individuals into divulging sensitive financial information, posing a significant threat to online security for those planning or experiencing travel.
Researchers have uncovered a sophisticated and large-scale phishing operation centered around travel-related scams. The campaign leverages an extensive network of over 4,300 fake websites designed to trick unsuspecting users into submitting their payment card information. This coordinated effort exploits the trust people place in familiar travel booking platforms, creating a believable facade for malicious intent.
Massive Phishing Attack Leverages 4,300+ Malicious Domains to Target Travelers
The current widespread phishing attack, identified by cybersecurity researchers, is specifically targeting individuals engaged in travel arrangements or in the process of checking into accommodations. Attackers are dispatching fake booking confirmation emails that expertly mimic legitimate communications from trusted travel companies. These deceptive emails aim to prompt immediate action, often citing urgency to avoid cancellation, pushing victims to overlook potential red flags.
The perpetrators behind this operation have established a network of websites that closely resemble authentic hotel reservation pages. These sites are equipped with familiar logos and professional layouts, making them exceptionally difficult for the average user to distinguish from legitimate online services. This meticulous design plays a crucial role in the campaign’s success, capitalizing on the user’s expectation of a secure and familiar online environment when booking travel.
According to Netcraft security researchers, the threat actor behind this extensive campaign appears to be Russian-speaking, a conclusion drawn from extensive Russian language comments embedded within the source code of the phishing kit. The operation commenced in February 2025 and has demonstrated a consistent and alarming growth trajectory, with the attacker registering new domains at an almost daily rate. A notable surge in domain registrations occurred on March 20, 2025, with an astonishing 511 domains being registered within a single day.
The newly registered domains exhibit consistent naming patterns, often incorporating phrases such as “confirmation,” “booking,” “guestverify,” “cardverify,” or “reservation,” frequently combined with random numerical sequences. This systematic approach to domain registration suggests a well-organized and strategic effort to create a vast infrastructure for the phishing campaign. The attacker predominantly utilizes four domain registrars: WebNIC, Public Domain Registry, Atak Domain Bilgi Teknolojileri A.S., and MAT BAO Corporation, indicating a reliance on specific services for managing their illicit online presence.
Adding to the campaign’s sophistication, several hundred domains specifically reference luxury and boutique hotels from various global locations. This tactic aims to enhance the scam’s perceived authenticity and target specific demographics, making the fraudulent offer appear more tailored and convincing to potential victims who may be researching or booking stays at these particular establishments.
Redirection Chain Enhances Evasion and Deception
The phishing attack employs a multi-stage redirection system, a technique designed to deliberately obfuscate the trail back to the attackers and hinder efforts to block the malicious links. When a user clicks on a “Confirm Booking” button within a fraudulent email, they are not immediately directed to the phishing website.
Instead, the initial link directs the victim to an outdated, unused domain originally registered in 2016 for a movie promotion. This intermediary domain then redirects the user to a page hosted on Blogspot, Google’s free blogging platform. Finally, this Blogspot page provides the last redirect, leading the victim to the actual phishing page. This elaborate redirection chain serves multiple strategic purposes for the attackers.
This complex redirection strategy significantly aids the attackers in evading detection by security software and filtering systems that might flag direct links to known malicious sites. Furthermore, leveraging legitimate platforms like Blogspot adds a layer of perceived trustworthiness, as the intermediate URL appearing on a well-known service can lower a user’s suspicion. The layered redirection also complicates investigative efforts by security researchers attempting to trace the operation’s final destination and dismantle its infrastructure.
Upon reaching the phishing page, users are presented with what appears to be a legitimate hotel booking confirmation form. The page includes a simulated Cloudflare CAPTCHA, which does not actually function but uses Cloudflare branding to foster a false sense of security. After navigating this fake security check, victims are prompted to enter their payment card details, including the cardholder’s name, card number, CVV code, and expiration date.
The phishing page performs a Luhn algorithm check to validate the format of the entered card number before proceeding with the fraudulent transaction in the background. Simultaneously, a seemingly impromptu support chat window materializes, featuring automated messages that instruct victims to confirm SMS notifications from their bank. These SMS notifications are, in reality, genuine fraud alerts triggered by the unauthorized charges the attackers are attempting to process.
The phishing kit is reportedly furnished with advanced capabilities, including support for 43 different languages, indicating a broad international target scope. It also features real-time polling functionality that transmits user keystrokes back to the attacker’s server approximately once per second, allowing for immediate data harvesting. The pages utilize a unique identifier known as an “AD_CODE” within the URL, a mechanism that dictates which travel brand the site will impersonate, allowing for customized branding on a single domain across various campaigns.
This adaptability enables the attackers to conduct multiple phishing campaigns concurrently using the same underlying infrastructure, tailoring the presented pages to specific victim segments and impersonated brands. The ongoing nature of this operation and its sophisticated techniques highlight the persistent threat of phishing to online consumers, particularly in sectors involving financial transactions and personal data exchange.