{
  "name": "Booking.com Phishing Campaign Targeting Hotels and Customers",
  "slug": "bookingcom-phishing-campaign-targeting-hotels-and-customers",
  "description": "A sophisticated phishing campaign targeting the hospitality industry has been uncovered, compromising hotel administrators' Booking.com accounts to defraud customers. The attack chain begins with spear-phishing emails impersonating Booking.com, leading to malware infection via the ClickFix social engineering tactic. The malware, identified as PureRAT, allows attackers to steal credentials and access booking platforms. Compromised accounts are then used to send fraudulent messages to hotel guests, tricking them into paying for their reservations a second time. The cybercrime ecosystem supporting these attacks includes services for harvesting hotel administrator contacts, distributing phishing emails, and trading stolen Booking.com account credentials on underground forums.",
  "published": "2026-01-13T18:46:56+00:00",
  "created_at": "2026-01-13T18:46:56+00:00",
  "modified_at": "2026-01-14T10:12:38+00:00",
  "created_at_opencti": "2026-01-13T18:46:56+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-11-07",
    "2026-01-13",
    "booking.com",
    "clickfix",
    "credential-theft",
    "cybercrime",
    "hospitality",
    "phishing",
    "purerat",
    "social engineering"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "77.83.207.106"
      },
      {
        "id": "",
        "name": "85.208.84.94"
      },
      {
        "id": "",
        "name": "http://verifycard45625-expedia.com/67764524"
      },
      {
        "id": "",
        "name": "http://confirmation8324-booking.com/17149438"
      },
      {
        "id": "",
        "name": "https://headkickscountry.com/lz1y"
      },
      {
        "id": "",
        "name": "https://confirmation887-booking.com/17149438"
      },
      {
        "id": "",
        "name": "https://homelycareinc.com/po7r"
      },
      {
        "id": "",
        "name": "https://customvanityco.com/izsb"
      },
      {
        "id": "",
        "name": "http://confirmation887-booking.com/17149438"
      },
      {
        "id": "",
        "name": "https://cabinetifc.com/upseisser.zip"
      },
      {
        "id": "",
        "name": "https://ctrlcapaserc.com/loggqibkng"
      },
      {
        "id": "",
        "name": "http://cabinetifc.com/upseisser.zip"
      },
      {
        "id": "",
        "name": "http://bkngssercise.com/bomla"
      },
      {
        "id": "",
        "name": "http://byliljedahl.com/8anf"
      },
      {
        "id": "",
        "name": "https://hareandhosta.com/95xh"
      },
      {
        "id": "",
        "name": "http://ctrlcapaserc.com/loggqibkng"
      },
      {
        "id": "",
        "name": "https://verifyguest02667-booking.com/17149438"
      },
      {
        "id": "",
        "name": "http://hareandhosta.com/95xh"
      },
      {
        "id": "",
        "name": "https://verifycard45625-expedia.com/67764524"
      },
      {
        "id": "",
        "name": "https://confirmation8324-booking.com/17149438"
      },
      {
        "id": "",
        "name": "https://bknqsercise.com/bomla"
      },
      {
        "id": "",
        "name": "http://bknqsercise.com/bomla"
      },
      {
        "id": "",
        "name": "http://activatecapagm.com/j8r3"
      },
      {
        "id": "",
        "name": "https://brownsugarcheesecakebar.com/ajm4"
      },
      {
        "id": "",
        "name": "http://brownsugarcheesecakebar.com/ajm4"
      },
      {
        "id": "",
        "name": "https://cquopymaiqna.com/bomla"
      },
      {
        "id": "",
        "name": "http://homelycareinc.com/po7r"
      },
      {
        "id": "",
        "name": "http://seedsuccesspath.com/6m8a"
      },
      {
        "id": "",
        "name": "http://byliljedahl.com/lv6q"
      },
      {
        "id": "",
        "name": "http://verifyguest02667-booking.com/17149438"
      },
      {
        "id": "",
        "name": "https://bqknsieasrs.com/loggqibkng"
      },
      {
        "id": "",
        "name": "https://seedsuccesspath.com/6m8a"
      },
      {
        "id": "",
        "name": "http://guest03442-booking.com/17149438"
      },
      {
        "id": "",
        "name": "https://byliljedahl.com/8anf"
      },
      {
        "id": "",
        "name": "https://cardverify0006-booking.com/37858999"
      },
      {
        "id": "",
        "name": "http://bqknsieasrs.com/loggqibkng"
      },
      {
        "id": "",
        "name": "http://bkngpropadm.com/bomla"
      },
      {
        "id": "",
        "name": "http://ctrlcapaserc.com/bomla"
      },
      {
        "id": "",
        "name": "https://jamerimprovementsllc.com/ao9o"
      },
      {
        "id": "",
        "name": "http://zenavuurwerkofficial.com/62is"
      },
      {
        "id": "",
        "name": "https://activatecapagm.com/j8r3"
      },
      {
        "id": "",
        "name": "http://emprotel.net.bo/updserc.zip"
      },
      {
        "id": "",
        "name": "https://bkngpropadm.com/bomla"
      },
      {
        "id": "",
        "name": "http://cquopymaiqna.com/bomla"
      },
      {
        "id": "",
        "name": "https://bkngssercise.com/bomla"
      },
      {
        "id": "",
        "name": "http://cardverify0006-booking.com/37858999"
      },
      {
        "id": "",
        "name": "https://ctrlcapaserc.com/bomla"
      },
      {
        "id": "",
        "name": "http://customvanityco.com/izsb"
      },
      {
        "id": "",
        "name": "http://jamerimprovementsllc.com/ao9o"
      },
      {
        "id": "",
        "name": "https://zenavuurwerkofficial.com/62is"
      },
      {
        "id": "",
        "name": "https://guest03442-booking.com/17149438"
      },
      {
        "id": "",
        "name": "http://headkickscountry.com/lz1y"
      },
      {
        "id": "",
        "name": "9bab404584f6a0d9d82112d6e017cfa37d0094d97e510101d6a0132fd145dd32"
      },
      {
        "id": "",
        "name": "64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3"
      },
      {
        "id": "",
        "name": "703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1"
      },
      {
        "id": "",
        "name": "5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:5d5d6103e33e63df",
        "name": "PureRAT",
        "slug": "purerat"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "6babd5aa-5112-4f14-a660-60d756a65d6d",
        "name": "T1586"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "2969e5a7-1049-4df8-b1ba-8a0675de6b94",
        "name": "T1589"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "29398669-98ed-4766-9dac-f9632f7175ff",
        "name": "T1518"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "a7262c61-4567-4a00-8cec-aae6264234a9",
        "name": "T1218"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Hospitality"
      },
      {
        "id": "",
        "name": "admin-extranetmngrxz-captcha.com"
      },
      {
        "id": "",
        "name": "booking-confview-doc-00097503843.com"
      },
      {
        "id": "",
        "name": "guesting-servicesid91202.com"
      },
      {
        "id": "",
        "name": "bookingadmin-updateofmay2705.com"
      },
      {
        "id": "",
        "name": "api-notification-centeriones.com"
      },
      {
        "id": "",
        "name": "jamerimprovementsllc.com"
      },
      {
        "id": "",
        "name": "brownsugarcheesecakebar.com"
      },
      {
        "id": "",
        "name": "mccp-logistics.com"
      },
      {
        "id": "",
        "name": "confsvisitor-missing-items.com"
      },
      {
        "id": "",
        "name": "booking-reservationsdetail-id0025911.com"
      },
      {
        "id": "",
        "name": "update-infos616.com"
      },
      {
        "id": "",
        "name": "mccplogma.com"
      },
      {
        "id": "",
        "name": "whooamisercise.com"
      },
      {
        "id": "",
        "name": "confirmation887-booking.com"
      },
      {
        "id": "",
        "name": "bknqsercise.com"
      },
      {
        "id": "",
        "name": "admin-extranetrservq-cstmrq.com"
      },
      {
        "id": "",
        "name": "homelycareinc.com"
      },
      {
        "id": "",
        "name": "booking-reviewsguestpriv-10101960546.com"
      },
      {
        "id": "",
        "name": "verifycard45625-expedia.com"
      },
      {
        "id": "",
        "name": "cquopymaiqna.com"
      },
      {
        "id": "",
        "name": "zenavuurwerkofficial.com"
      },
      {
        "id": "",
        "name": "reserv-captchaapril04152025.com"
      },
      {
        "id": "",
        "name": "booking-reservationinfosid0251358.com"
      },
      {
        "id": "",
        "name": "cardverify0006-booking.com"
      },
      {
        "id": "",
        "name": "customvanityco.com"
      },
      {
        "id": "",
        "name": "seedsuccesspath.com"
      },
      {
        "id": "",
        "name": "comsquery.com"
      },
      {
        "id": "",
        "name": "bookreservfadrwer-customer.com"
      },
      {
        "id": "",
        "name": "admin-extranetmnxz-captcha.com"
      },
      {
        "id": "",
        "name": "admin-extranet-reservationsinfos.com"
      },
      {
        "id": "",
        "name": "bqknsieasrs.com"
      },
      {
        "id": "",
        "name": "booking-aprilreviewstir-9650233.com"
      },
      {
        "id": "",
        "name": "breserve-custommessagehelp.com"
      },
      {
        "id": "",
        "name": "aidaqosmaioa.com"
      },
      {
        "id": "",
        "name": "confirmation8324-booking.com"
      },
      {
        "id": "",
        "name": "booking-visitorviewdetails-64464043.com"
      },
      {
        "id": "",
        "name": "booking-agreementaprilreviews042025.com"
      },
      {
        "id": "",
        "name": "hareandhosta.com"
      },
      {
        "id": "",
        "name": "admin-extranetadm-captcha.com"
      },
      {
        "id": "",
        "name": "emprotel.net.bo"
      },
      {
        "id": "",
        "name": "whooamisercisea.com"
      },
      {
        "id": "",
        "name": "eiscoaqscm.com"
      },
      {
        "id": "",
        "name": "bkngpropadm.com"
      },
      {
        "id": "",
        "name": "booking-viewdocdetails-0975031.com"
      },
      {
        "id": "",
        "name": "caspqisoals.com"
      },
      {
        "id": "",
        "name": "sqwqwasresbkng.com"
      },
      {
        "id": "",
        "name": "byliljedahl.com"
      },
      {
        "id": "",
        "name": "bkngssercise.com"
      },
      {
        "id": "",
        "name": "update-info1676.com"
      },
      {
        "id": "",
        "name": "booking-agreementstatementapril0225.com"
      },
      {
        "id": "",
        "name": "admin-extranetadmns-captcha.com"
      },
      {
        "id": "",
        "name": "confirminfo-hotel20may05.com"
      },
      {
        "id": "",
        "name": "confvisitor-doc.com"
      },
      {
        "id": "",
        "name": "booking-confviewdocum-0079495902.com"
      },
      {
        "id": "",
        "name": "contmasqueis.com"
      },
      {
        "id": "",
        "name": "verifyguest02667-booking.com"
      },
      {
        "id": "",
        "name": "ctrlcapaserc.com"
      },
      {
        "id": "",
        "name": "activatecapagm.com"
      },
      {
        "id": "",
        "name": "cabinetifc.com"
      },
      {
        "id": "",
        "name": "guest03442-booking.com"
      },
      {
        "id": "",
        "name": "admin-extranet-reservationsexp.com"
      },
      {
        "id": "",
        "name": "booking-agreementstatementapril0429.com"
      },
      {
        "id": "",
        "name": "extranet-admin-reservationssept.com"
      },
      {
        "id": "",
        "name": "headkickscountry.com"
      },
      {
        "id": "",
        "name": "guestinfo-aboutstay1205.com"
      },
      {
        "id": "",
        "name": "booking-refguestitem-09064111.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/6966a130c50513e1e22f9582",
    "https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers"
  ]
}