There is a detail buried inside Japan’s latest Booking.com phishing wave that stops you cold. The fraudulent messages arriving on victims’ phones get the reservation number right. They get the hotel name right. They get the check-in date right. The only thing fake is the link asking you to punch in your credit card number and the 24-hour countdown attached to it.
That level of accuracy does not come from a lucky guess or a dark web data dump. It comes from something worse: the attackers had legitimate access to a real hotel’s Booking.com account while the messages were sent. They were inside the system, reading live reservation data and then contacting guests in real time, through the same messaging channels a real hotel would use.
This is what makes the campaign hitting Japan’s hospitality sector right now so corrosive. It is not a breach of Booking.com’s core servers. The platform’s backend has not been compromised. What has been compromised is something Booking.com has far less direct control over: the 3.4 million lodging partners connected to its extranet, many of them running old Windows machines at the front desk, logging into the booking portal from a browser, with no multi-factor authentication turned on. One phishing email to one overworked receptionist, and an attacker walks straight in.
The Japan Situation, Spelled Out
Since Golden Week in early May 2026, Japanese hotels have been hit with a surge of reported phishing incidents targeting guests who booked through Booking.com. The Japan Hotel Association put out a formal warning on June 12 after member properties started reporting coordinated inbound complaints. By June 17, Japan Tourism Agency Director-General Shigeki Murata was publicly demanding that Booking.com conduct a thorough investigation and issue comprehensive warnings to travelers.
More than 40 hotel groups and individual properties had already posted formal notices on their websites by that point. The list is not a collection of budget inns. It includes the Imperial Hotel, Hotel Okura Kobe, Hotel New Otani Osaka, Keio Plaza Hotel, APA Hotel, Tobu Hotel, Hotel Keihan, and hotels affiliated with WHG Hotels and Fujita Kanko. These are flagship properties. The fact that the same technique hit all of them simultaneously rules out individual operator error.
Polaris Holdings, a Tokyo Stock Exchange-listed hotel operator running 116 properties domestically and internationally, disclosed in a May 28 announcement that an unauthorized third party had accessed its group Booking.com account and tampered with the bank account details designated to receive sales revenue from several hotels. One property alone had roughly 9 million yen – roughly $60,000 diverted to an attacker-controlled account before the fraud was discovered. At the same time, guests of those same Polaris hotels were receiving phishing messages constructed from reservation data that had been lifted from the compromised account.
This is the dual-monetization play that distinguishes this campaign from typical phishing. A single extranet account compromise generates two revenue streams simultaneously: fraudulent bank transfers out of the hotel’s receivables, and credential theft from guests through targeted smishing. The same intrusion, two paydays.
How the Attack Chain Works
The entry point is not a sophisticated exploit of Booking.com’s infrastructure. It starts with a spearphishing email sent to hotel staff – usually a front desk manager or a reservations coordinator. The email impersonates Booking.com with a subject line referencing things like a negative guest review, an urgent compliance issue, or a “new last-minute booking” requiring action. Sekoia documented email subjects including variations on “New guest message in reference to your unit” in their November 2025 “I Paid Twice” report.
The link inside the email redirects through a chain of compromised domains before landing on a page that mimics the Booking.com partner portal. The URL patterns are built to look legitimate: many include strings like admin, extranet, or booking.admin-extranet to match what a real hotel staff member would expect to see in their browser bar. Then comes the ClickFix move.
The page tells the user there is a verification problem – a fake CAPTCHA or a fake error and instructs them to prove they are human by pressing Win+R, then Ctrl+V, then Enter. What that keystroke sequence actually does is open the Windows Run dialog, paste a malicious command that the page silently loaded into the clipboard, and execute it. The command pulls down a PowerShell script.
From that PowerShell execution, the researchers have tracked several different malware payloads depending on which operator ran the campaign. Microsoft’s March 2025 Storm-1865 threat intelligence report identified XWorm, Lumma Stealer, VenomRAT, AsyncRAT, DanaBot, and NetSupport RAT being dropped through mshta.exe. Sekoia’s “I Paid Twice” investigation, published November 2025, focused on PureRAT also known as PureHVNC and ResolverRAT – a modular Remote Access Trojan sold as malware-as-a-service by a developer going by PureCoder since 2021. PureRAT establishes persistence through Windows Registry Run keys and communicates back to its C2 infrastructure over TCP/TLS on ports 56001, 56002, and 56003. Its plugin architecture supports remote desktop control, keylogging, webcam capture, file exfiltration, and credential theft targeting browser extensions and two-factor authentication apps. Bridewell’s separate investigation, tracking the campaign under the designation BR-UNC-030 from early January 2026, described a third delivery path using Evilginx combined with IDN homograph domains – Cyrillic characters substituted into “booking” to create convincing lookalike URLs designed specifically to harvest session cookies from hotel staff rather than drop malware.
What all three paths have in common is the end result: the attacker authenticates to the hotel’s Booking.com extranet account as if they are a legitimate staff member. The platform’s own access logs show a normal login. No intrusion detection fires. The attacker then opens the reservation list, reads the names, check-in dates, room types, confirmation numbers, and email addresses of every upcoming guest, and pivots to targeting those guests directly.
The guest-facing phishing pages are technically competent. They use Ajax to auto-populate stolen booking details into the form fields when the victim lands on the page, making the experience feel like a real hotel verification flow. The pages sit behind Cloudflare’s CAPTCHA service for legitimacy, and the hosting infrastructure has been tracked to Russian bulletproof providers, specifically AS216341 (OPTIMA LLC), which continues operating despite repeated abuse reports.
The Underground Economy Behind This
This campaign does not run on individual initiative. It is industrial.
Sekoia’s analysis of Russian-language cybercrime forums including LolzTeam, Exploit.in, and WWHClub found a structured marketplace for Booking.com extranet credentials. A compromised account for a small property with few active reservations sells for as little as $5. An account managing a multi-hotel group in a high-income country with dozens of live bookings goes for up to $5,000. The price formula factors in the number of establishments managed, active reservation volume, and the account’s Genius partner tier – the higher the tier, the more attractive the target, because those properties handle higher-value guests.
A single threat actor operating under the handle moderator_booking advertised on multiple forums claiming to run a team that had “earned over $20 million in this field,” offering to purchase Booking.com extranet logs from third-party infectors at prices ranging from $30 to $5,000 depending on account quality. That actor was also documented running a Telegram bot to automate log purchases, looking for what the posts described as “regular sellers” and “long-term partnerships.” The implication is an operation processing logs at industrial volume, not cherry-picking individual hotels.
The procurement pipeline is worth understanding precisely. Attackers who specialize in initial access, sometimes called “traffers” in Russian-speaking forums, are recruited to distribute the ClickFix lures through specific traffic channels including Twitter, Facebook, and Google and paid a commission on proceeds rather than a flat fee. Once a hotel staff machine is infected, the resulting log is sold on, validated using automated log-checker tools that authenticate the stolen credentials through proxy networks to confirm the account is still active, and then used directly or resold.
Bridewell’s BR-UNC-030 analysis added a telling detail to this picture: a comment buried in the customer-facing phishing kit’s JavaScript code read //console.error("Ошибка: " + textStatus + ", " + errorThrown) – the Russian word for “error” in the developer comment. It is not definitive attribution, but it is consistent with the broader forum evidence pointing toward Russian-speaking operators.
Japan Is Not a New Target, This Is a Third Wave
The Japan Tourism Agency issued its first Booking.com phishing warning in November 2023, after a similar pattern of hotel extranet compromises led to a wave of fraudulent messages targeting Japanese guests. That warning noted the same entry vector: the reservation management systems operated by individual accommodation facilities, not Booking.com’s central servers. Japan Today reported in April 2024 that over 100 Japanese hotels had already been hit by the credential-theft-to-guest-phishing pipeline at that point.
Two and a half years later, the Tourism Agency was back on June 17, 2026, issuing another formal demand for Booking.com to investigate and warn travelers. The same attack chain. The same entry vector. The same dual-monetization pattern.
This is the structural issue. The 2018 breach which Booking.com reported to the Dutch Data Protection Authority 22 days late, earning a 475,000 euro fine also originated from hotel staff credentials in the UAE being obtained through social engineering. The Dutch DPA made the platform’s shared responsibility for partner-side security explicit in its ruling. Booking.com paid the fine, said it was working to improve internal processes, and the platform’s spokesperson at the time clarified it was “a small number of hotels inadvertently providing their Booking.com account login details,” not a compromise of the platform itself. Eight years later, the company is issuing essentially the same statement.
Norton’s threat research team, led by Luis Corrons, documented in a May 2026 report that at least 350 hotels and accommodations across 50 countries have been confirmed compromised through the ClickFix vector, with the five most-affected European countries alone accounting for 159 of those properties – Germany leading at 49, followed by France (35), the United Kingdom (31), Italy (24), and Spain (20). The United States adds 19. Based on the 82,000 simultaneous guest capacity across confirmed compromised properties, Norton estimated roughly six million guest stays per year are now exposed to targeted follow-on fraud using real booking data.
Why MFA Is the Obvious Fix Nobody Has Mandated
The structural vulnerability here is not technically exotic. It is the absence of mandatory multi-factor authentication on Booking.com partner extranet accounts.
Once an infostealer like RedLine or LummaC2 lifts session cookies or login credentials from a hotel staff machine, an attacker can authenticate to the extranet and pass as a legitimate user. The platform sees a valid session. The attacker reads the reservation database. The guest gets a phishing message. Every single step of that chain collapses if the extranet requires a hardware security key or an authenticator app for login from an unrecognized device.
Booking.com has not made this mandatory for its 3.4 million partner properties. Those properties span five-star urban hotels with dedicated IT teams and rural guesthouses where the same Windows PC handles reservations, payroll spreadsheets, and employee YouTube breaks. The security posture across that partner network is wildly inconsistent, and attackers have been methodically targeting the weakest end of it for at least eight years.
The ClickFix technique compounds this because endpoint detection tools frequently miss it. An EDR watching for malware execution does not necessarily flag a user manually typing Win+R and pasting a string from their clipboard. The action looks authorized from the machine’s perspective. It is the user running the command, not an automated process. The gap between corporate security tooling and human behavior is exactly what Storm-1865 and the operators behind BR-UNC-030 are exploiting.
What Polaris Holdings’ Disclosure Reveals
The dual-monetization aspect of the Polaris Holdings incident deserves more attention than it has received.
Most discussions of this incident focus on either the guest-facing phishing or the bank account tampering. What is notable is that both happened from the same compromise. The attacker did not choose between stealing guest card data and hijacking hotel receivables. They did both, in sequence, from a single unauthorized session on the Polaris group account.
The mechanics of how this is possible are built into the extranet’s architecture. A hotel’s Booking.com partner account contains, on the same interface, the guest reservation data for upcoming stays, the payment method details associated with those bookings, and the payout bank account where Booking.com deposits accommodation fees. An attacker with full account access can modify the payout account to redirect future settlements to a criminal-controlled account, and can simultaneously read the guest list to build a phishing campaign.
Polaris disclosed that the payout bank account for several hotels within the group was altered, with approximately 9 million yen in receivables from one property confirmed diverted. For context, that represents the accommodation revenue from roughly 900 occupied rooms at a 10,000 yen per night rate – months of operating revenue wiped out in a single fraudulent account modification. The company reset passwords across all hotels, is cooperating with authorities, and confirmed at time of disclosure that no customer credit card leaks have been verified. The guest phishing incidents, however, were already in progress and linked to data obtained through the same compromised account.
The Red Flags, Spelled Out
Booking.com’s official position is clear, and consistent across incidents: the company will never request credit card information via email or chat. Payment is made through the method stated in the original booking confirmation, not through a link delivered via WhatsApp or SMS after the fact.
The signature markers of the fraudulent messages targeting Japanese travelers follow a recognizable pattern. The message arrives via WhatsApp or an overseas phone number, often in English even when the booking was made through Japanese-language channels. It includes the correct reservation number and stay dates verbatim which is what makes it feel legitimate. It claims a card verification failure and states the reservation will be cancelled unless the recipient completes a procedure within 24 to 48 hours. The link goes to a page outside the official Booking.com app that requests card details.
None of those steps are part of any legitimate Booking.com process. The urgency framing, the channel shift from in-app to external messaging, and the card re-entry request are all operational signatures of the fraud campaign.
The Japan Hotel Association is urging any guest who receives such a message to contact the hotel directly through a verified phone number, or to open the official Booking.com app and check the reservation status there. Booking.com’s own Trust and Safety page confirms it does not initiate payment requests through third-party messaging channels.
The Broader Picture
This campaign is not limited to Japan, and it is not limited to Booking.com. Sekoia tracked the same infrastructure and methodology being used to target Expedia and Agoda accounts in parallel. The pattern has been documented across Europe, North America, Australia, and Southeast Asia with the same three-stage structure: compromise hotel staff via ClickFix, harvest extranet credentials, contact guests with reservation-accurate phishing.
What Japan represents is a concentrated second hit – a recurrence following the 2023 warning, with the same attack chain producing the same result because the underlying structural vulnerability was never resolved. Forty major hotel brands filing warning notices simultaneously in a compressed window is not a coincidence. It indicates a coordinated, timed campaign, not random opportunism.
The Japan Tourism Agency is simultaneously investigating Booking.com, individual hotels, and the Japan Hotel Association, which is about as wide a net as a government regulator can cast. Whether that pressure translates into mandatory security controls on the extranet side remains to be seen.
Until it does, the math is simple. Every hotel property connected to a major OTA’s partner portal without mandatory MFA is a potential entry point. Every guest with an upcoming reservation is a potential target. The reservation data is accurate, the messaging looks real, and the fraudsters have had eight years of practice running this exact play.
This post first appeared at - The CyberSec Guru