Thousands of fake travel sites used in ongoing Russian phishing campaign

More than 4,300 domains have been registered by Russian threat actors to impersonate widely known booking and rental services, such as Booking.com, Expedia, and Agoda, as part of a phishing campaign that has sought to pilfer hotel guests' payment details since February, The Hacker News reports.

Illicit emails purporting to be about travel reservations sought to lure targets into clicking a booking confirmation link, which redirected to fake sites that support 43 languages and order deposit payments using card information, according to a Netcraft analysis.

Entering card details, including the CVV number and expiry date, prompts the bogus site to display a "support chat" window showing steps on achieving 3D Secure verification for the target's credit card while attempting to process the transaction. Despite uncertainties regarding the identity of the threat actors, such malicious activity has been linked to Russia over the use of its language for source code comments and debugger output.

The findings follow a Sekoia report detailing the use of ClickFix in a far-reaching hospitality industry-targeted phishing campaign that spread the PureRAT malware.