{ "type": "Domain", "indicator": "confirmation-370395.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/confirmation-370395.com", "alexa": "http://www.alexa.com/siteinfo/confirmation-370395.com", "indicator": "confirmation-370395.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4147976871, "indicator": "confirmation-370395.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69137fca8f856858d0543ded", "name": "Thousands of Fake Hotel Domains Used in Massive Phishing Campaign", "description": "A Russian-speaking threat actor has orchestrated a large-scale phishing campaign targeting travelers by registering over 4,300 domain names since early 2025. The sophisticated operation impersonates major travel brands like Airbnb and Booking.com to steal payment card data. The phishing sites use customized pages based on unique URL strings, fake CAPTCHA systems, and multilingual translations to appear legitimate. The campaign employs malicious emails with links that redirect through multiple sites before reaching the phishing page. The attacker consistently registers new domains, focusing on specific registrars and using naming conventions that incorporate travel-related terms and hotel names. The phishing kit includes real-time data collection and Russian language elements in the source code.", "modified": "2025-11-11T18:31:27.495000", "created": "2025-11-11T18:26:17.167000", "tags": [ "phishing", "domain registration", "malspam" ], "references": [ "https://www.netcraft.com/blog/thousands-of-domains-target-hotel-guests-in-massive-phishing-campaign", "https://raw.githubusercontent.com/netcraftcom/public-iocs/refs/heads/main/2025-11%20hotel%20phishing%20IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 4303, "hostname": 16 }, "indicator_count": 4319, "is_author": false, "is_subscribing": null, "subscriber_count": 377491, "modified_text": "158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694c0be21992e1c8f5d39e53", "name": "B2B2C Supply Chain Attack: Hotels Booking Accounts Compromised to Target Customers", "description": "Since May 2025, a cyber threat actor has been engaged in a B2B2C supply chain attack focusing on compromising hotel booking management accounts, specifically targeting http://Booking.com customers. Nearly 1,000 fraudulent booking and hotel reservation domains have been generated to facilitate this operation. The attack is characterized by the use of urgent notifications, labeled as \"verify or cancel,\" which direct users to external phishing sites. These sites are designed to dynamically load the victim's actual reservation details, effectively tricking users into disclosing sensitive payment information.\n\nThe initial vector for this attack involved compromising hotel staff accounts to gain access to booking platform credentials. This operation aligns with previous phishing campaigns reported, such as the \"I Paid Twice\" campaign, indicating a potential connection between the attackers targeting hotel credentials and those executing the phishing attacks.", "modified": "2025-12-24T15:50:58.187000", "created": "2025-12-24T15:50:58.187000", "tags": [ "domain" ], "references": [ "https://dti.domaintools.com/b2b2c-supply-chain-attack-hotels-booking-accounts-compromised-to-target-customers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 214 }, "indicator_count": 214, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "115 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691523ab5139f48d8654664e", "name": "Malicious Domains Impersonate Travel Services in Phishing Campaign", "description": "A massive Phishing campaign is targeting people who book hotels or travel online.", "modified": "2025-11-13T00:17:47.435000", "created": "2025-11-13T00:17:47.435000", "tags": [ "common uri", "first", "registered", "info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4304, "hostname": 16 }, "indicator_count": 4320, "is_author": false, "is_subscribing": null, "subscriber_count": 485, "modified_text": "157 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://dti.domaintools.com/b2b2c-supply-chain-attack-hotels-booking-accounts-compromised-to-target-customers/", "https://raw.githubusercontent.com/netcraftcom/public-iocs/refs/heads/main/2025-11%20hotel%20phishing%20IOCs.csv", "https://www.netcraft.com/blog/thousands-of-domains-target-hotel-guests-in-massive-phishing-campaign" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Hospitality" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69137fca8f856858d0543ded", "name": "Thousands of Fake Hotel Domains Used in Massive Phishing Campaign", "description": "A Russian-speaking threat actor has orchestrated a large-scale phishing campaign targeting travelers by registering over 4,300 domain names since early 2025. The sophisticated operation impersonates major travel brands like Airbnb and Booking.com to steal payment card data. The phishing sites use customized pages based on unique URL strings, fake CAPTCHA systems, and multilingual translations to appear legitimate. The campaign employs malicious emails with links that redirect through multiple sites before reaching the phishing page. The attacker consistently registers new domains, focusing on specific registrars and using naming conventions that incorporate travel-related terms and hotel names. The phishing kit includes real-time data collection and Russian language elements in the source code.", "modified": "2025-11-11T18:31:27.495000", "created": "2025-11-11T18:26:17.167000", "tags": [ "phishing", "domain registration", "malspam" ], "references": [ "https://www.netcraft.com/blog/thousands-of-domains-target-hotel-guests-in-massive-phishing-campaign", "https://raw.githubusercontent.com/netcraftcom/public-iocs/refs/heads/main/2025-11%20hotel%20phishing%20IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 4303, "hostname": 16 }, "indicator_count": 4319, "is_author": false, "is_subscribing": null, "subscriber_count": 377491, "modified_text": "158 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694c0be21992e1c8f5d39e53", "name": "B2B2C Supply Chain Attack: Hotels Booking Accounts Compromised to Target Customers", "description": "Since May 2025, a cyber threat actor has been engaged in a B2B2C supply chain attack focusing on compromising hotel booking management accounts, specifically targeting http://Booking.com customers. Nearly 1,000 fraudulent booking and hotel reservation domains have been generated to facilitate this operation. The attack is characterized by the use of urgent notifications, labeled as \"verify or cancel,\" which direct users to external phishing sites. These sites are designed to dynamically load the victim's actual reservation details, effectively tricking users into disclosing sensitive payment information.\n\nThe initial vector for this attack involved compromising hotel staff accounts to gain access to booking platform credentials. This operation aligns with previous phishing campaigns reported, such as the \"I Paid Twice\" campaign, indicating a potential connection between the attackers targeting hotel credentials and those executing the phishing attacks.", "modified": "2025-12-24T15:50:58.187000", "created": "2025-12-24T15:50:58.187000", "tags": [ "domain" ], "references": [ "https://dti.domaintools.com/b2b2c-supply-chain-attack-hotels-booking-accounts-compromised-to-target-customers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 214 }, "indicator_count": 214, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "115 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691523ab5139f48d8654664e", "name": "Malicious Domains Impersonate Travel Services in Phishing Campaign", "description": "A massive Phishing campaign is targeting people who book hotels or travel online.", "modified": "2025-11-13T00:17:47.435000", "created": "2025-11-13T00:17:47.435000", "tags": [ "common uri", "first", "registered", "info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4304, "hostname": 16 }, "indicator_count": 4320, "is_author": false, "is_subscribing": null, "subscriber_count": 485, "modified_text": "157 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "confirmation-370395.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "confirmation-370395.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776594786.2661786 }