Executive Summary
In early 2025, a Russian-speaking threat group orchestrated a widespread phishing campaign targeting the hospitality sector by registering over 4,300 fraudulent travel and hotel websites. Posing as legitimate booking platforms, the attackers lured hotel guests via persuasive spam emails, harvesting sensitive payment data and personal information from unsuspecting travelers. The threat actor leveraged sophisticated domain registration strategies and rapid site turnover to evade detection, resulting in a significant exposure of financial data and reputational harm to both guests and affected hospitality brands.
This incident signals an ongoing trend of highly targeted phishing operations in the travel industry, exploiting the surge in online bookings and trust in familiar brand identities. The campaign underscores the critical need for advanced threat detection, greater scrutiny of online domains, and robust security awareness for organizations and their customers.
Why This Matters Now
Phishing campaigns using deceptive domains have evolved in scale and sophistication, leveraging automation and globalization to rapidly target vulnerable industries like hospitality. Immediate action is required as attackers increasingly exploit consumer trust in travel websites, causing both business and personal financial losses.
Attack Path Analysis
The attacker initiated the campaign by creating thousands of phishing domains and distributing malicious emails to hotel guests, leading to initial credential compromise. Using stolen credentials or intercepted session data, they likely attempted to escalate privileges within targeted cloud or SaaS hotel systems. Once foothold was gained, the threat actor would seek opportunities for lateral movement between cloud workloads or services. Persistence was maintained and command-and-control established via outbound callbacks to attacker infrastructure using phishing domains. Guest payment and reservation data was exfiltrated through covert outbound or encrypted channels. Finally, attackers monetized stolen data, causing financial loss and reputational damage to hotels and their guests.
Kill Chain Progression
Initial Compromise
Description
Attackers created 4,300 fake travel domains and sent phishing emails to hotel guests, tricking them into submitting credentials or payment data.
Related CVEs
CVE-2025-8088
CVSS 7.8A directory traversal vulnerability in WinRAR versions prior to 7.13 allows attackers to place malicious files in sensitive system locations, enabling remote access and further attacks after a system reboot.
Affected Products:
RARLAB WinRAR – < 7.13
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Phishing: Spearphishing Link
Acquire Infrastructure: Domains
Compromise Infrastructure: Domains
User Execution: Malicious Link
Email Collection
Exfiltration Over C2 Channel
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect critical data from unauthorized access
Control ID: 2.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Phishing-Resistant Authentication and Monitoring
Control ID: Identity Pillar - Phishing Resistance
NIS2 Directive – Technical and Organisational Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Hospitality
Direct target of Russian phishing campaign using 4,300+ fake travel domains to steal hotel guest payment data through fraudulent reservation emails.
Leisure/Travel
Mass phishing operation specifically targets travel customers with fake booking sites, requiring enhanced egress security and threat detection capabilities.
Financial Services
Payment data theft from hospitality phishing creates downstream fraud risks, demanding stronger encrypted traffic protection and anomaly detection systems.
Computer/Network Security
Russian campaign demonstrates need for advanced threat detection, zero trust segmentation, and multicloud visibility solutions against sophisticated phishing operations.
Sources
- Russian Hackers Create 4,300 Fake Travel Sites to Steal Hotel Guests' Payment Datahttps://thehackernews.com/2025/11/russian-hackers-create-4300-fake-travel.htmlVerified
- Russian Hackers Create 4,300 Fake Travel Sites to Steal Hotel Guests’ Payment Datahttps://www.guardianmssp.com/2025/11/13/russian-hackers-create-4300-fake-travel-sites-to-steal-hotel-guests-payment-data/Verified
- Thousands of fake travel sites used in ongoing Russian phishing campaignhttps://www.scworld.com/brief/thousands-of-fake-travel-sites-used-in-ongoing-russian-phishing-campaignVerified
- Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructurehttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-011aVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Network segmentation, strong egress controls, and multicloud visibility would have limited attacker movement, prevented data exfiltration, and detected anomalies across cloud workloads. Applying Zero Trust segmentation and comprehensive threat detection would disrupt or detect adversary actions at each kill chain stage.
Control: Threat Detection & Anomaly Response
Mitigation: Detected large-scale phishing attempts and suspicious inbound traffic targeting hotel cloud assets.
Control: Zero Trust Segmentation
Mitigation: Limited attacker's ability to access high-value systems even after credential compromise.
Control: East-West Traffic Security
Mitigation: Detected and blocked unauthorized east-west movement within and across clouds.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented unauthorized outbound traffic to malicious domains and C2 infrastructure.
Control: Encrypted Traffic (HPE)
Mitigation: Blocked or detected outbound data exfiltration attempts, even over encrypted channels.
Accelerated incident response and limited blast radius by providing real-time visibility into affected assets.
Impact at a Glance
Affected Business Functions
- Reservations
- Payments
- Customer Service
Estimated downtime: 7 days
Estimated loss: $5,000,000
Personal and financial information of hotel guests, including payment card details, full names, addresses, and travel itineraries, were exposed due to the phishing campaign.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation to restrict lateral movement and limit exposure from compromised credentials.
- • Enforce strict egress policies and encrypted traffic inspection to identify and block suspicious outbound connections and exfiltration attempts.
- • Leverage multicloud visibility tools for real-time threat detection, baselining, and rapid incident response across cloud workloads.
- • Apply workload-to-workload east-west traffic controls to minimize internal attack surface and detect abnormal communications.
- • Continuously monitor for anomalous access and phishing-related traffic using automated threat intelligence and detection capabilities.
