Google Uncovers Massive Phishing Scam Exploiting Booking.com Users

In a sweeping investigation into cybercrime infrastructure, Google Threat Intelligence has exposed a vast, ongoing phishing campaign targeting Booking.com users. Spearheaded by Security Engineer Joseliyo, this operation was uncovered from a single phishing message and unraveled into a sophisticated two-tier scam ecosystem impacting thousands of travelers worldwide.

“One clever thing about this scam is that the threat actors sent messages directly to victims through Booking’s official website,” Joseliyo reported. “They even used the message chats from bookings people had already made.”

The threat actors hijacked trust by sending messages within legitimate Booking.com reservation threads—warning users that “Your reservation is at risk.” These messages included urgent links asking travelers to update their credit card details or risk cancellation.

Because Booking.com forwards in-app messages via email, victims were hit twice—receiving the phishing message on both platforms.

Google identified a two-tier infrastructure behind the phishing campaign:

• Tier 1 Domains – Act as redirectors. They mimic hotel domains (e.g., hostelmandarinkauxeh.eto-la[.]com) and point to…
• Tier 2 Domains – Host the actual phishing content, such as fake Booking.com pages (e.g., booking.confirmation-id9918[.]com).

“The actors registered Tier 1 domains that simply act as redirectors to the Tier 2 domains,” the report explained. “These domains were registered with names similar to ‘Booking’ to make the user think it is the legitimate domain.”

Google’s team used VirusTotal and Google Colab to track down phishing URLs through:

• Title patterns like “One moment…” and “AD not found (captcha2)”
• <meta> tags with content from real Booking domains (e.g., cf.bstatic[.]com)
• Embedded images and hotel names reused in scams

Over 1,500 URLs were linked to the Tier 2 infrastructure, dating back to November 2023, with a sharp rise in submissions seen from January to June 2025.

Google uncovered a RAR archive containing:

• 4,727 records of phishing victims (names, booking info, links)
• Excel files with guest check-in dates, payment methods, and booking prices
• Telegram logs from 118 different threat actor accounts (e.g., @onlycashvvs, @wtmoneko, @cashcali)

“These files contain transaction IDs, hotel names, card numbers, issuing banks, and Telegram operator usernames,” said Joseliyo.

The data suggests a professional operation with dedicated “workers” managing victims through Telegram channels—complete with payment tracking and support escalation.

Most URLs uncovered in the campaign had zero or only one detection in VirusTotal, highlighting how stealthy and effective the infrastructure is.

“Across all the URLs gathered from both Tier 1 and Tier 2 infrastructure, a significant portion has been flagged with 0 and 1 detections by the security vendors,” Joseliyo warned.

Related Posts:

• Travelers Targeted: Booking.com Phishing Scam Unveiled
• Booking.com Impersonation Campaign: Agent Tesla Malware Analysis
• Booking.com Spoofed in ClickFix Malware Surge Targeting Hotels and Travel Sector
• Booking.com Impersonated in Phishing Campaign Delivering Credential-Stealing Malware