Global Hotel Reservation Hijacking Scam Targets Thousands of Travelers with Sophisticated Phishing Attacks

A massive cybersecurity investigation has revealed that travelers’ personal information and booking details are being systematically harvested from hundreds of hotels across the globe. Security researchers from Norton, a brand under Gen Digital, have identified a sophisticated "reservation hijacking" campaign affecting at least 350 hotels, motels, vacation rentals, and guesthouses in 50 different countries. This operation involves the theft of highly specific data, including guest names, reservation dates, and total costs, which cybercriminals then repurpose to craft hyper-targeted phishing messages designed to drain victims’ bank accounts.

The scale of the operation is significant, with researchers estimating that the identified accommodations have a combined capacity of approximately 80,000 guests at peak occupancy. Unlike broad, generic phishing campaigns that rely on volume, this "spear phishing" approach utilizes legitimate, real-world context to gain the trust of travelers. By presenting accurate check-in and check-out dates along with the specific price paid for a room, attackers significantly increase the likelihood that a victim will click on a fraudulent link and provide sensitive credit card or identity information.

The Anatomy of a High-Context Phishing Attack

The core of this criminal enterprise lies in its precision. Luis Corrons, who led the research for Gen Digital, emphasizes that these are not random attempts to deceive the public. Instead, the attackers create phishing websites that are dynamically updated to reflect the specific details of a victim’s stay. These pages often include the name of the hotel, the correct dates of the reservation, and the exact amount of the transaction.

"This is really targeted," Corrons noted during the release of the findings. "It’s spear phishing targeted to the specific victim with the real details of the reservation."

The messages typically reach victims through mobile communication channels, such as SMS or WhatsApp, or via email. In many instances, the messages appear to originate from legitimate platforms like Booking.com or directly from the hotel’s management. A common lure involves an urgent request for the guest to "verify" their payment details or "confirm" their reservation to avoid cancellation. When the traveler clicks the link, they are directed to a malicious portal—often featuring a real-time chatbot—that captures their financial data as they type it.

Geographical Distribution and Targeted Accommodations

According to the Norton analysis, the geographical reach of the scam is truly international, though certain regions appear to be more heavily targeted than others. Germany leads the list of countries with the highest number of potentially compromised hotels, followed closely by France, the United Kingdom, Italy, Spain, and the United States.

The research indicates that the attackers are not necessarily focusing on large, multinational luxury chains, which often have robust, centralized cybersecurity departments. Instead, the majority of the affected properties are small-to-medium-sized hotels and independent vacation rentals. These establishments often lack the resources to implement advanced security measures, such as mandatory multi-factor authentication (MFA) or dedicated threat-monitoring teams, making them softer targets for data exfiltration.

Chronology of the Investigation and Technical Origins

The investigation into this specific wave of hotel-linked fraud began in earnest in December 2023. At that time, Norton researchers identified a WhatsApp message that was nearly indistinguishable from a legitimate communication from Booking.com. The message contained a link to a false website that used an integrated chatbot to harvest credit card information in real time.

By March 2024, further research linked these activities to broader vulnerabilities in the hospitality ecosystem. While it remains unclear if a single central database was breached, researchers believe the data is being obtained through a variety of methods:

1. Credential Phishing of Hotel Staff: Attackers send malware to hotel employees, often disguised as legitimate guest inquiries.
2. Infostealer Malware: Tools like the "Vidar" infostealer are used to scrape login credentials from hotel computers, allowing hackers to log directly into property management systems (PMS) or third-party booking platforms.
3. Third-Party Vulnerabilities: Exploiting weaknesses in the software used by hotels to manage reservations and interact with Online Travel Agencies (OTAs).

Sophos, another major cybersecurity firm, documented a specific instance that illustrates the tactics used. In one case, a cybercriminal contacted a hotel claiming to have lost their passport during a stay. The attacker sent a follow-up email containing a link supposedly to a photo of the passport. In reality, the link downloaded the Vidar malware. Within days of the infection, the hotel’s official Booking.com account was being used to send fraudulent payment links to hundreds of guests.

The Rise of Phishing-as-a-Service (PhaaS)

The efficiency of these attacks is bolstered by the growth of "Phishing-as-a-Service" (PhaaS). This model allows less-skilled cybercriminals to rent or purchase sophisticated "phishing kits" on the dark web. These kits come pre-loaded with templates that can impersonate dozens of global brands, including major airlines, banks, and travel platforms.

The kits are designed to automate the process of sending millions of messages and hosting fraudulent websites. As the hospitality industry continues to digitize, these kits are being updated with new lures specifically tailored to the travel experience. The FBI’s Internet Crime Complaint Center (IC3) reported that Americans lost more than $200 million to successful phishing attempts in 2023 alone, a figure that is expected to rise as these high-context scams become more prevalent.

Official Responses and Industry Accountability

The hospitality industry and its software partners have responded to the findings with varying degrees of urgency. Booking.com, which has frequently been impersonated in these scams, stated that it is continuously strengthening its defenses to limit opportunities for bad actors to target partners and customers. The company maintains that its own internal systems have not been breached and that the fraud often occurs at the hotel level through compromised credentials.

Cloudbeds, a major provider of hotel management software mentioned in previous Norton reports, also clarified its position. Aaron Ownbey, Vice President of Engineering at Cloudbeds, stated that the company itself has not suffered a data breach. Instead, he described the situation as a series of credential-phishing campaigns targeting hotel staff.

"The reason these scams are so effective is that the attacker isn’t guessing: They know exactly who the guest is, when they’re arriving, and what they paid," Ownbey said. He further emphasized that the hospitality industry must raise its security baseline through better staff training and the adoption of phishing-resistant authentication methods.

Meanwhile, law enforcement agencies are monitoring the situation. While Europol declined to comment on specific operational activities, Norton confirmed it has shared its findings with the agency to assist in potential international investigations.

Broader Implications for the Travel Industry

This wave of reservation hijacking highlights a critical vulnerability in the global travel infrastructure: the reliance on trust and the high volume of personal data exchanged between multiple parties. A single hotel booking often involves the traveler, an OTA (like Booking.com or Expedia), a property management system (like Cloudbeds), and the hotel’s own front-desk staff. If any link in this chain is compromised, the guest’s data is at risk.

The psychological aspect of travel also plays into the hands of hackers. Don Smith, Vice President of Threat Research at Sophos, noted that travelers are often under stress, dealing with deadlines, flight changes, and language barriers. "It’s very hard to not simply react and click on something to remove one element of stress from what may be a stressful travel experience," Smith explained.

The financial impact extends beyond individual losses. For small and medium-sized hotels, a security breach can lead to devastating reputational damage and potential legal liabilities under data protection regulations like Europe’s GDPR.

Protecting Travelers in an Era of High-Context Fraud

As cybercriminals refine their ability to use real-world data in their schemes, traditional advice to "look for typos" or "check the sender’s email" is becoming less effective. Security experts now recommend a "trust but verify" approach.

If a traveler receives an urgent message regarding a reservation—even if it contains correct booking details—they are advised to contact the hotel or booking platform directly through a known, official channel. This means calling the hotel using a number found on their official website or using the secure messaging system within the official app of the booking service, rather than clicking a link in a text message or WhatsApp.

Furthermore, travelers should be wary of any request for payment information that occurs outside of the initial booking window. Most reputable hotels and booking sites will not ask for credit card updates via a third-party chat app or an unsolicited SMS.

The findings from Norton and Sophos serve as a stark reminder that in the modern digital landscape, the possession of accurate data is no longer a guarantee of a message’s legitimacy. As the hospitality industry grapples with these evolving threats, the burden of vigilance remains shared between the service providers who hold the data and the consumers who rely on them for safe passage.