In late August 2025, a sophisticated wave of phishing attacks targeted the hospitality industry, focusing specifically on hoteliers and vacation rental operators. This new approach diverged from traditional phishing emails by leveraging search engines, with attackers purchasing sponsored ads that appeared above legitimate results. These ads redirected potential victims to fake domains masquerading as trusted hospitality management services.
Mimicking Trusted Brands Through Paid Ads
The phishing campaign, identified by analysts at Okta Security, utilized typosquatted domains to closely imitate reputable platforms like SiteMinder and RoomRaccoon. Hotel managers searching for login portals to manage reservations were often met with fraudulent ads. When clicked, these ads led users to meticulously designed imitation login pages, replete with logos and authentication prompts. Uniquely, this attack method included real-time mechanisms for capturing one-time passwords (OTPs). By entering their SMS or email codes, users inadvertently provided the attackers with all they needed for immediate account access.
Okta’s investigation indicated a connection to Russian-speaking developers, evidenced by embedded Russian-language comments in the phishing code, such as “Ошибка запроса” (meaning “Request error”). This gives credence to the idea that this campaign was orchestrated by a skilled group with a clear international footprint.
Persistence Through Real-Time Beaconing
Additionally, the phishing pages incorporated JavaScript beaconing functions to communicate with command-and-control servers every ten seconds. This allowed the attackers to monitor victims’ interactions with the site, enabling them to know whether login attempts were successful or not. This level of tracking provided attackers with vital analytics, such as geolocation and session length, enhancing their understanding of targets.
The attackers capitalized on the manipulation of trust in search engine results by bidding on high-value keywords related to legitimate services. As a result, their fraudulent domains gained higher visibility, effectively overshadowing authentic offerings. This refined blend of ad-based tactics and OTP capture signifies a concerning evolution in phishing strategies, particularly threatening sectors where secure account access is critical to booking systems and sensitive guest data.
Security experts emphasize that organizations within the hospitality sector must be especially vigilant against these sophisticated malvertising campaigns. Monitoring ad placements and recognizing unusual login behaviors are essential for safeguarding operations against potential threats.
In Summary
This alarming trend highlights a crucial need for the hospitality industry to enhance its cybersecurity awareness and measures. As attackers refine their methods, organizations must not only focus on traditional security practices but also adapt their strategies to counteract advanced phishing techniques. Encouraging ongoing training for staff, fostering a culture of cybersecurity awareness, and leveraging technology to detect rogue ads are vital steps in safeguarding trusted brands amid growing challenges.
