Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign

Okta Threat Intelligence is tracking a large-scale phishing campaign that has impersonated at least a dozen service providers that specialize in hotels and vacation rentals. 

In these attacks, targeted users are lured to highly deceptive phishing sites using malicious search engine advertisements, particularly sponsored ads on platforms like Google Search. The attacks leverage convincing fake login pages and social engineering tactics to bypass security controls and exploit user trust. 

We observed at least thirteen hospitality companies impersonated with these lures.

Based on the targeting and nature of the phishing lures, the campaign appears designed to compromise accounts for cloud-based property management and guest messaging platforms.

Initial Access

We observed campaigns in which malvertising - the purchase of malicious search engine advertisements – was used to lure unsuspecting users of the impersonated hospitality or vacation rental company.

For instance, a search query for the name of one of these companies might display a number of sponsored ads that direct users to a malicious site:

Figure 1. Example of malvertising showing two fake websites promoted above a legitimate domain

Figure 2. Example of malvertising directing users to another phishing site

Observed domains used a typosquatting variation of the legitimate website.

A user that navigates to one of these malicious domains is presented a fake login page. We observed a large number of phishing sites that impersonated at least thirteen hospitality companies.

Figure 3. Oracle Hospitality was one of numerous service providers impersonated

Based on the targeting and nature of the phishing lures, the campaign appears designed to compromise accounts for cloud-based property management and guest messaging platforms.

Tactics, Techniques and Procedures

The objective of the first stage of the campaign is credential harvesting. The phishing pages were configured to capture usernames, email addresses, phone numbers and passwords. 

The observed activity demonstrates an intent to bypass or capture multi-factor authentication (MFA) codes. For instance, some phishing pages explicitly prompt for "One time password" or offer "Sign in with SMS Code" and "Email Code" options.

Figure 4. Screenshot of a phishing website impersonating Airbnb

Figure 5. Once a phone number is entered,  the phishing page prompts for OTP codes sent via SMS

Inspecting the source code of these websites, we can observe the following text:

<script>
    function sendRequest() {
        fetch("/mksd95jld43").catch(error => console.error("Ошибка запроса:", error));
    }
    // Запускаем запрос каждые 10 секунд
    setInterval(sendRequest, 10000);
</script>

The error message “Ошибка запроса” (“Request error”) and comment “Запускаем запрос каждые 10 секунд” (“We start the request every 10 seconds”) suggest the possibility of Russian-speaking actors behind this campaign. The campaign also employed a large Russian datacenter proxy provider during attacker sign-in activity.

The campaign also employs a beaconing technique for tracking and analytics. This allows the attacker to gather valuable real-time information about the victims who have landed on the phishing page, including: 

• Visitor Analytics

• Geolocation & Targeting

• Session Duration

• Bot Detection

• Status Monitoring

Okta customers can access a detailed set of indicators of compromise by selecting Okta Threat Intelligence at security.okta.com.

Mitigating Controls

• Enrol customers and partners in the strongest available authenticator, prioritising possession factors like passkeys to introduce phishing resistance while minimizing user friction. Enroll workforce users in strong authenticators such as Okta FastPass, passkeys (FIDO2 WebAuthn) and smart cards and enforce phishing resistance in policy. 

• Deny or require higher assurance for requests from rarely-used networks. 

• Identify and automate responses to requests for access to applications that deviate from previously established patterns of user activity using adaptive risk assessments.

• Monitor suspicious domain registrations to observe any changes in the content served up to users. Review application logs for any evidence of communication with suspicious domains. If content hosted on the domain violates copyright or legal marks, consider providing evidence and issuing a takedown request with the domain registrar and/or web hosting provider.

• Warn users when malvertising and phishing campaigns appear to be targeting your brand.

• Notify end users if suspicious activity is observed on their account.

Moussa Diallo contributed to this research.