Phishing Campaign Targets Hotel Booking Accounts — Travellers Defrauded

Cybersecurity researchers have uncovered a sophisticated phishing campaign exploiting compromised hotel booking accounts to defraud travellers worldwide. The campaign, active since at least April 2025, uses stolen credentials from hotel administrators to impersonate legitimate communications and direct customers to fraudulent billing pages. Security analysts from Sekoia.io discovered that the operation begins with a multi-stage attack targeting hotel establishments, ultimately installing PureRAT malware. Once attackers gain control of a hotel’s booking account, they execute targeted banking fraud against guests. The campaign involves spear-phishing emails masquerading as legitimate communications, leading victims through a sophisticated redirection infrastructure. The attackers use a JavaScript-based ClickFix attack to deploy PureRAT, which establishes persistence on hotel administrators’ machines. With compromised booking accounts, threat actors send phishing messages to guests, directing them to fake billing pages that mimic authentic interfaces. Unsuspecting travellers who enter their banking credentials become victims of second-billing fraud, paying twice for their reservations. The operation reflects broader trends in cybercriminal professionalization, with attackers outsourcing components of attacks to specialized services.