The “I Paid Twice” Trap: New Booking.com Phishing Kit Targets Hotels & Guests

A sophisticated financial fraud campaign has resurfaced, targeting the hospitality sector that victimizes both hotels and their guests. According to a new report from Bridewell, threat actors have launched a two-stage attack designed to steal credentials from hotel staff and then pivot to steal payment data from customers, leveraging the trusted Booking.com brand.

Since the start of January 2026, researchers have observed a surge in malicious activity that marks an evolution of previous fraud schemes. The attackers are no longer just casting a wide net; they are systematically compromising the supply chain of trust between hotels and booking platforms.

The campaign operates through a distinct three-stage infection chain. It begins by targeting the hotel partners themselves, often aiming at service desk agents who manage reservations.

“The threat actor(s) utilise impersonation of the Booking.com platform through two distinct phishing kits dedicated to harvesting credentials and banking information from each victim respectively,” the report states.

1. Stage 1 & 2 (The Partner Compromise): Attackers send phishing emails to hotel staff (Booking.com partners) to deploy a dedicated “partner phishing kit.” This kit is designed to harvest the credentials needed to access the hotel’s Booking.com administrative portal.
2. Stage 3 (The Customer Fraud): Once inside the hotel’s system, the attackers pivot to the guests. They use the compromised access to send messages—often via WhatsApp—to customers, claiming there was an issue with their payment and urging them to pay again.

This final stage aligns with the previously reported “I Paid Twice” campaign, but the method of initial access has evolved.

“However, the initial delivery and targeting of the retail sector using a dedicated partner phishing kit is a new approach by either the same, or new operators, of the customer phishing kit,” the report notes.

The investigation into the phishing kits revealed potential clues about the perpetrators. Analysis of the code within the customer-facing phishing kit uncovered comments written in Russian.

“Additionally, within the customer phishing kit, we identified the ‘Russian’ word for ‘Error’ within the code comments: //console.error(‘Ошибка: ‘ + textStatus + ‘,’ + errorThrown); suggesting that the developer of the customer phishing kit is of Russian origin,” the report comfirms.

Researchers noted that this campaign has moved away from general-purpose malware loaders like ClickFix, which were previously used to gain entry into enterprise networks. Instead, the attackers are now using newly generated Gmail addresses and domains to deploy their specialized phishing kits directly.

Related Posts:

• Bridewell Uncovers ‘Operation Deceptive Prospect’ Targeting UK Organizations via Feedback Portals
• Booking.com Spoofed in ClickFix Malware Surge Targeting Hotels and Travel Sector
• Travelers Targeted: Booking.com Phishing Scam Unveiled
• Booking.com Impersonation Campaign: Agent Tesla Malware Analysis