New Phising Attack Targeting Travellers From Hotel’s Compromised...

A sophisticated phishing campaign is actively targeting hotel establishments and their guests through compromised Booking.com accounts, according to research uncovered by security experts.

The campaign, dubbed “I Paid Twice” due to evidence of victims paying twice for their reservations, has been operating since at least April 2025 and remains active as of October 2025.

The attack scheme combines credential theft with multi-stage malware deployment, creating a complex threat targeting the global hospitality sector.

The operation begins when threat actors compromise hotel administrator systems through spearphishing emails that impersonate legitimate Booking.com communications.

These emails contain carefully crafted messages referencing guest reservations and booking platform activities, lending them credibility to unsuspecting recipients.

The emails include malicious URLs that redirect victims through a sophisticated redirection infrastructure before deploying the ClickFix social engineering tactic.

Once victims execute the downloaded commands, malware infects their systems, granting attackers access to professional credentials for booking platforms like Booking.com and Expedia.

The broader criminal ecosystem supporting this operation reveals an alarming level of professionalization within cybercrime communities.

Threat actors harvest hotel administrator credentials and sell them through Russian-speaking cybercrime forums and marketplaces.

High-value compromised Booking.com accounts managing multiple properties in developed nations command prices between $5 and $5,000 depending on activity levels and reservation volumes.

Source: Cybersecurity News