{ "type": "Domain", "indicator": "customerbook.cfd", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/customerbook.cfd", "alexa": "http://www.alexa.com/siteinfo/customerbook.cfd", "indicator": "customerbook.cfd", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4168243012, "indicator": "customerbook.cfd", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "694c0be21992e1c8f5d39e53", "name": "B2B2C Supply Chain Attack: Hotels Booking Accounts Compromised to Target Customers", "description": "Since May 2025, a cyber threat actor has been engaged in a B2B2C supply chain attack focusing on compromising hotel booking management accounts, specifically targeting http://Booking.com customers. Nearly 1,000 fraudulent booking and hotel reservation domains have been generated to facilitate this operation. The attack is characterized by the use of urgent notifications, labeled as \"verify or cancel,\" which direct users to external phishing sites. These sites are designed to dynamically load the victim's actual reservation details, effectively tricking users into disclosing sensitive payment information.\n\nThe initial vector for this attack involved compromising hotel staff accounts to gain access to booking platform credentials. This operation aligns with previous phishing campaigns reported, such as the \"I Paid Twice\" campaign, indicating a potential connection between the attackers targeting hotel credentials and those executing the phishing attacks.", "modified": "2025-12-24T15:50:58.187000", "created": "2025-12-24T15:50:58.187000", "tags": [ "domain" ], "references": [ "https://dti.domaintools.com/b2b2c-supply-chain-attack-hotels-booking-accounts-compromised-to-target-customers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 214 }, "indicator_count": 214, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "158 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://dti.domaintools.com/b2b2c-supply-chain-attack-hotels-booking-accounts-compromised-to-target-customers/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "694c0be21992e1c8f5d39e53", "name": "B2B2C Supply Chain Attack: Hotels Booking Accounts Compromised to Target Customers", "description": "Since May 2025, a cyber threat actor has been engaged in a B2B2C supply chain attack focusing on compromising hotel booking management accounts, specifically targeting http://Booking.com customers. Nearly 1,000 fraudulent booking and hotel reservation domains have been generated to facilitate this operation. The attack is characterized by the use of urgent notifications, labeled as \"verify or cancel,\" which direct users to external phishing sites. These sites are designed to dynamically load the victim's actual reservation details, effectively tricking users into disclosing sensitive payment information.\n\nThe initial vector for this attack involved compromising hotel staff accounts to gain access to booking platform credentials. This operation aligns with previous phishing campaigns reported, such as the \"I Paid Twice\" campaign, indicating a potential connection between the attackers targeting hotel credentials and those executing the phishing attacks.", "modified": "2025-12-24T15:50:58.187000", "created": "2025-12-24T15:50:58.187000", "tags": [ "domain" ], "references": [ "https://dti.domaintools.com/b2b2c-supply-chain-attack-hotels-booking-accounts-compromised-to-target-customers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 214 }, "indicator_count": 214, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "158 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "customerbook.cfd", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "customerbook.cfd", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780316588.3601007 }