In late August 2025, a new strain of phishing attacks surfaced that singled out hoteliers and vacation rental operators by hijacking their most trusted entry points: search engines. Instead of deploying the familiar waves of phishing emails, attackers purchased sponsored advertisements that appeared above legitimate search results, redirecting users to malicious domains disguised as well-known hospitality management services.
The campaign, first flagged by analysts at Okta Security, has already been linked to a surge of suspicious traffic routed through a major Russian proxy provider. The findings suggest an operation designed with precision, scalability, and persistence in mind.
Final Call: Be DPDP Act Ready with FCRF’s Certified Data Protection Officer Program
Mimicking Trusted Brands Through Paid Ads
By leveraging typosquatted domains, attackers mirrored trusted platforms such as SiteMinder and RoomRaccoon. Victims who searched for login portals to manage reservations or guest communications often found fraudulent ads occupying the top slots in Google Search.
Clicking these ads led to carefully crafted replicas of login interfaces, complete with logos, authentication prompts, and even fields for multi-factor authentication. Unlike most phishing schemes, the attackers integrated mechanisms to harvest one-time passwords (OTPs) in real time. Users who entered SMS or email codes were unwittingly handing attackers everything required for immediate account takeover.
Okta’s investigation revealed Russian-language code comments embedded in the phishing pages, including error messages like “Ошибка запроса” (“Request error”). Analysts interpret this as a sign of Russian-speaking developers behind the infrastructure.
Persistence Through Real-Time Beaconing
The phishing pages also deployed JavaScript beaconing functions that sent data to command-and-control servers every ten seconds. This system allowed attackers to monitor whether victims provided valid credentials, enabling them to intervene instantly if login attempts failed. Beyond static usernames and passwords, the beaconing captured geolocation, session length, and interaction metrics, providing attackers with a detailed map of their targets.
Unlike malware-driven infections, this campaign relies on manipulating trust in search engines. By bidding on high-value keywords such as “SiteMinder login,” attackers guaranteed their malicious domains appeared more prominently than authentic services. The blend of ad-based delivery and OTP capture represents an evolution in phishing sophistication.
Security experts warn that organizations in the hospitality sector, where account access directly impacts booking systems and guest data, face heightened risk. Vigilance against malvertising campaigns, particularly monitoring ad placements and sudden login anomalies, remains critical in preventing compromise.