A new wave of phishing attacks has emerged in late August 2025, targeting hotels and vacation rental operators by exploiting one of their most trusted tools: search engines. Instead of sending phishing emails, attackers purchased sponsored Google ads that appeared above genuine search results, luring users to fake domains disguised as hospitality management platforms.
The campaign, flagged by analysts, has already been tied to suspicious traffic passing through a major Russian proxy provider, pointing to an operation that is precise, scalable, and persistent.
Using typosquatted domains, attackers replicated trusted portals such as SiteMinder and RoomRaccoon. Hoteliers searching for login pages to manage bookings or guest communications often found these fake ads ranking higher than authentic sites.
Clicking on the ads redirected users to convincing replicas of login pages, complete with official logos and even multi-factor authentication fields. Unlike typical phishing schemes, these fake ads pages harvested one-time passwords in real time. Victims who entered SMS or email codes unknowingly handed over full access to their accounts.
Investigators found Russian-language code embedded in the phishing infrastructure, including error messages such as “Ошибка запроса” meaning “Request error.” Experts believe this is a strong indicator of Russian-speaking developers behind the operation.
The phishing pages also used JavaScript beaconing that transmitted data to control servers every ten seconds. This feature allowed attackers to monitor login attempts live and capture not just usernames and passwords but also geolocation, session data, and user interactions.
Unlike malware-driven attacks, this scheme relied on manipulating trust in search engines. By bidding on high-value keywords like “SiteMinder login,” attackers ensured their fake domains outranked legitimate services. The mix of paid ad placements and real-time OTP capture marks a new level of phishing sophistication.
Cybersecurity experts warn that the hospitality industry is particularly vulnerable as compromised accounts can directly impact guest data and reservation systems. They stress the need for vigilance against malicious ads, close monitoring of login activities, and awareness campaigns to prevent further damage.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
