A Deceptive Ad Campaign Is Stealing Credentials from the Hospitality Industry
Do Son 
The phishing page prompts for OTP codes sent via SMS | Image: Okta
Okta Threat Intelligence is sounding the alarm over a large-scale phishing campaign that has been actively impersonating major players in the hospitality and vacation rental sector. The campaign leverages malicious advertising, convincing login pages, and social engineering to compromise sensitive accounts used for hotel and property management services.
The attackers rely heavily on malicious search engine advertisements, particularly Google Search sponsored ads, to lure victims. According to Okta, “In these attacks, targeted users are lured to highly deceptive phishing sites using malicious search engine advertisements, particularly sponsored ads on platforms like Google Search.”
These ads often appear above legitimate search results, using domains that mimic the names of trusted hospitality providers. “Observed domains used a typosquatting variation of the legitimate website. A user that navigates to one of these malicious domains is presented a fake login page.”
Okta confirmed that at least thirteen hospitality companies have been impersonated, including cloud-based property management and guest messaging platforms.
Once victims reach the phishing page, the attackers’ primary goal is credential harvesting. The fake portals are designed to collect usernames, email addresses, phone numbers, and passwords.
Okta notes, “The observed activity demonstrates an intent to bypass or capture multi-factor authentication (MFA) codes. For instance, some phishing pages explicitly prompt for ‘One time password’ or offer ‘Sign in with SMS Code’ and ‘Email Code’ options.”
Screenshots from the campaign show convincing clones of login portals for services like Airbnb and Oracle Hospitality. In some cases, victims are prompted to enter phone numbers, which then trigger requests for OTP codes sent via SMS.
A deeper look into the phishing pages’ source code revealed Russian-language comments and error messages, suggesting the attackers may be Russian-speaking. Okta highlights the following snippet:
The error message translates to “Request error” and the comment reads “We start the request every 10 seconds”. Combined with the use of a large Russian datacenter proxy provider for attacker sign-ins, the evidence points toward operators with ties to Russian infrastructure.
The phishing infrastructure is not just collecting credentials—it’s also designed for tracking and analytics. Okta explains, “The campaign also employs a beaconing technique for tracking and analytics. This allows the attacker to gather valuable real-time information about the victims who have landed on the phishing page, including visitor analytics, geolocation, session duration, bot detection, and status monitoring.”
Okta warns that organizations should monitor for suspicious login attempts, educate users about malicious search ads, and enforce phishing-resistant MFA methods to reduce exposure.
As the report emphasizes, “Based on the targeting and nature of the phishing lures, the campaign appears designed to compromise accounts for cloud-based property management and guest messaging platforms.”
Related Posts:
- Chameleon Banking Trojan Targets Hospitality Sector with Novel CRM Masquerade
- Sophos X-Ops Alerts: ‘Inhospitality’ Malspam Targets Hotels with Deceptive Tactics
- Data Breach at Okta Affects All Customer Support Users: Company Updates Scope
- Okta Patches Vulnerability (CVE-2024-9191) in Verify Desktop MFA for Windows
- Okta Patches Vulnerability Allowing Unauthorized Access
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
