What happened
Security researchers at Bridewell identified a phishing campaign targeting Booking.com partners and customers using a multi-stage attack chain to steal credentials and conduct payment fraud. Attackers initially sent phishing emails to hotel reservation and support mailboxes containing fake complaint links that redirected staff to attacker-controlled login portals designed to harvest credentials. These stolen credentials were then used to access legitimate Booking.com partner accounts and obtain real booking information. Attackers subsequently contacted guests through convincing WhatsApp messages containing accurate reservation details and directed them to fake Booking.com payment pages hosted on look-alike domains using techniques such as IDN homograph attacks and Cloudflare CAPTCHA pages to evade detection and facilitate financial fraud.
Who is affected
Booking.com partners, including hotel staff, and customers with active reservations are affected, as attackers use stolen partner credentials to target guests and facilitate payment fraud using compromised booking data.
Why CISOs should care
The campaign demonstrates how credential theft from trusted partner accounts can be leveraged to conduct downstream fraud against customers using legitimate booking information, increasing the effectiveness of phishing and financial theft.
3 practical actions
- Enforce multi-factor authentication on Booking.com partner accounts. This reduces risk of unauthorized access using stolen credentials.
- Monitor for suspicious login activity. Detect unusual sign-ins, password resets, or redirects involving booking systems.
- Block look-alike phishing domains. Prevent access to malicious domains impersonating Booking.com infrastructure.