New Large-Scale Phishing Attacks Targets Hotelier Via Ads to Gain Access to Property Management Tools

Cybersecurity

In late August 2025, a new phishing campaign was identified, targeting hoteliers and vacation rental managers through malicious search engine advertisements.

Attack Methodology

This campaign diverges from traditional phishing methods by utilizing sponsored ads on search engines such as Google. The attackers typosquatted legitimate service provider names to redirect unsuspecting users.

Brands like SiteMinder and RoomRaccoon were mimicked, causing the malicious domains to appear above authentic listings, thus increasing the likelihood of victim interaction.

When victims clicked on these sponsored links, they encountered fake login portals that convincingly replicated established property management platforms. These portals included corporate logos, form fields for usernames, passwords, and multi-factor authentication prompts.

Social engineering techniques were employed to coax users into revealing one-time passwords sent via SMS or email, facilitating account takeover by capturing both static credentials and dynamic OTP codes.

Technical Analysis

Okta Security analysts identified the campaign after a noticeable spike in outbound traffic from a Russian datacenter proxy provider to various hospitality domains. The phishing page source code included Russian-language comments and error messages, suggesting involvement by Russian-speaking threat actors.

The phishing sites used JavaScript beaconing scripts to track visitor interactions, collect geolocation data, session duration, and bot-detection metrics. Beyond initial credential harvesting, the attackers monitored whether victims entered correct credentials and OTPs through beaconing functions.

function sendRequest() {
    fetch("/mksd95jld43").catch(error => console.error("Ошибка запроса"));
}
setInterval(sendRequest, 10000);

Infection Mechanism

The campaign’s reliance on malvertising distinguishes it from traditional phishing operations. By weaponizing search engine advertising, attackers poisoned the user’s journey from the outset. They bid on high-value keywords to position their malicious ads alongside genuine results.

Victims searching for platform logins encountered URLs like siteminder.live and rocmracooon.cfd, visually indistinguishable from legitimate domains. The phishing pages activated JavaScript beacons to confirm victim presence and capture form responses, with credentials and OTPs relayed immediately to command-and-control endpoints.

Recommendations

Detection of this infection mechanism requires monitoring of ad campaigns and domain registrations. Organizations should implement adaptive risk assessments to flag requests from unfamiliar networks and investigate deviations from normal user activity.

By integrating threat intelligence with real-time monitoring of ad ecosystems, defenders can disrupt this sophisticated malvertising-driven phishing strategy before it threatens critical hotel management infrastructure.