Thousands of Fake Travel Websites Set Up to Steal Your Hotel Payment Info
A group of hackers recently created more than 4,300 fake travel-booking websites designed to trick hotel guests into giving up their payment card information. These bogus sites pretend to be well-known services like hotel-booking or rental platforms, complete with familiar brand logos and professional-looking layouts — making them seem real at first glance.
The scam works like this: victims receive a spam email telling them they need to confirm a hotel reservation (often with a sense of urgency: “confirm now or your booking will be canceled”). If they click the link in the email, the link redirects them — sometimes through several harmless-looking pages — and eventually lands them on one of the fake booking websites. On the fake site, they’re asked to enter their credit card number, expiration date, CVV, and other payment info to “guarantee” or “confirm” the reservation.
If the victim goes through with it, the fake booking site tries to process a payment in the background. Meanwhile, a fake support chat or a fake security check (such as a seemingly legit CAPTCHA) may appear — all just to make the scenario look more convincing and to take more of the victim’s trust. Once the card info is submitted, the hackers capture it — giving them the ability to charge the card or use the details for fraud.
The fake websites are surprisingly sophisticated: they support dozens of languages, and they adjust their displayed branding based on a hidden code in the website’s link. This tailored appearance — plus the use of well-known travel-site branding and realistic layouts — helps them trick people all over the world.
While the campaign appears to come from a group using Russian-language code (though the attackers haven’t been officially identified), the danger is real for anyone booking travel online, anywhere. This kind of scam shows that — even if you think you’re dealing with a trusted booking site — it’s possible to be fooled by convincingly fake websites.
Bottom line: When you get an email about confirming a hotel reservation, always double-check the URL carefully, make sure the website looks legitimate (not just via email links), avoid entering payment info via links you didn’t initiate, and — when possible — go directly to the official booking platform instead of clicking email links.
