Phishing Campaigns “I Paid Twice” Targeting Booking.com Hotels and Customers

    Friday, November 7, 2025 In: Threat Research Print

    Date: 11/07/2025

    Severity: High

    Summary

    A global phishing campaign is targeting the hospitality industry, exploiting compromised Booking.com accounts and WhatsApp messages to defraud hotel customers. The attackers gained access to hotel systems through infostealer malware, stealing credentials for booking platforms like Booking.com and Expedia. These credentials were later sold or misused to send fraudulent emails appearing legitimate due to stolen customer and reservation data. The campaign, dubbed “I Paid Twice,” highlights the ClickFix social engineering tactic, where victims unknowingly compromised hotel accounts—leading to banking fraud and customers being tricked into double payments.

    Indicators of Compromise (IOC) List 

    URLs/Domains

    whooamisercisea.com

    whooamisercise.com

    aidaqosmaioa.com

    bqknsieasrs.com

    update-infos616.com

    mccplogma.com

    mccp-logistics.com

    cquopymaiqna.com

    contmasqueis.com

    update-info1676.com

    admin-extranet-reservationsinfos.com

    eiscoaqscm.com

    comsquery.com

    caspqisoals.com

    ctrlcapaserc.com

    admin-extranet-reservationsexp.com

    admin-extranetmngrxz-captcha.com

    admin-extranetrservq-cstmrq.com

    admin-extranetadmns-captcha.com

    extranet-admin-reservationssept.com

    bkngssercise.com

    admin-extranetmnxz-captcha.com

    bknqsercise.com

    admin-extranetadm-captcha.com

    bookreservfadrwer-customer.com

    bookingadmin-updateofmay2705.com

    breserve-custommessagehelp.com

    confvisitor-doc.com

    confirminfo-hotel20may05.com

    guestinfo-aboutstay1205.com

    confsvisitor-missing-items.com

    guesting-servicesid91202.com

    booking-agreementstatementapril0429.com

    booking-agreementaprilreviews042025.com

    booking-viewdocdetails-0975031.com

    booking-agreementstatementapril0225.com

    api-notification-centeriones.com

    booking-visitorviewdetails-64464043.com

    booking-reservationsdetail-id0025911.com

    booking-refguestitem-09064111.com

    reserv-captchaapril04152025.com

    booking-reviewsguestpriv-10101960546.com

    booking-aprilreviewstir-9650233.com

    booking-confviewdocum-0079495902.com

    booking-confview-doc-00097503843.com

    booking-reservationinfosid0251358.com

    sqwqwasresbkng.com

    https://headkickscountry.com/lz1y

    https://activatecapagm.com/j8r3

    https://homelycareinc.com/po7r

    https://byliljedahl.com/8anf

    https://byliljedahl.com/8anf

    https://jamerimprovementsllc.com/ao9o

    https://seedsuccesspath.com/6m8a

    https://zenavuurwerkofficial.com/62is

    https://brownsugarcheesecakebar.com/ajm4

    https://hareandhosta.com/95xh

    https://zenavuurwerkofficial.com/62is

    https://customvanityco.com/izsb

    https://byliljedahl.com/lv6q

    https://ctrlcapaserc.com/bomla

    https://bknqsercise.com/bomla

    https://bkngssercise.com/bomla

    https://bkngpropadm.com/bomla

    https://cquopymaiqna.com/bomla

    https://emprotel.net.bo/updserc.zip

    https://cabinetifc.com/upseisser.zip

    https://ctrlcapaserc.com/loggqibkng

    https://bqknsieasrs.com/loggqibkng

    https://confirmation887-booking.com/17149438

    https://verifyguest02667-booking.com/17149438

    https://guest03442-booking.com/17149438

    https://confirmation8324-booking.com/17149438

    https://cardverify0006-booking.com/37858999

    https://verifycard45625-expedia.com/67764524

    IP Address

    85.208.84.94

    77.83.207.106

    Hash

    703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1

    5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec

    64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "update-info1676.com" or siteurl like "update-info1676.com" or url like "update-info1676.com" or domainname like "eiscoaqscm.com" or siteurl like "eiscoaqscm.com" or url like "eiscoaqscm.com" or domainname like "https://verifycard45625-expedia.com/67764524" or siteurl like "https://verifycard45625-expedia.com/67764524" or url like "https://verifycard45625-expedia.com/67764524" or domainname like "booking-refguestitem-09064111.com" or siteurl like "booking-refguestitem-09064111.com" or url like "booking-refguestitem-09064111.com" or domainname like "https://bknqsercise.com/bomla" or siteurl like "https://bknqsercise.com/bomla" or url like "https://bknqsercise.com/bomla" or domainname like "https://bqknsieasrs.com/loggqibkng" or siteurl like "https://bqknsieasrs.com/loggqibkng" or url like "https://bqknsieasrs.com/loggqibkng" or domainname like "bqknsieasrs.com" or siteurl like "bqknsieasrs.com" or url like "bqknsieasrs.com" or domainname like "bkngssercise.com" or siteurl like "bkngssercise.com" or url like "bkngssercise.com" or domainname like "admin-extranetadm-captcha.com" or siteurl like "admin-extranetadm-captcha.com" or url like "admin-extranetadm-captcha.com" or domainname like "booking-confview-doc-00097503843.com" or siteurl like "booking-confview-doc-00097503843.com" or url like "booking-confview-doc-00097503843.com" or domainname like "https://confirmation8324-booking.com/17149438" or siteurl like "https://confirmation8324-booking.com/17149438" or url like "https://confirmation8324-booking.com/17149438" or domainname like "https://zenavuurwerkofficial.com/62is" or siteurl like "https://zenavuurwerkofficial.com/62is" or url like "https://zenavuurwerkofficial.com/62is" or domainname like "update-infos616.com" or siteurl like "update-infos616.com" or url like "update-infos616.com" or domainname like "mccplogma.com" or siteurl like "mccplogma.com" or url like "mccplogma.com" or domainname like "confirminfo-hotel20may05.com" or siteurl like "confirminfo-hotel20may05.com" or url like "confirminfo-hotel20may05.com" or domainname like "mccp-logistics.com" or siteurl like "mccp-logistics.com" or url like "mccp-logistics.com" or domainname like "admin-extranet-reservationsexp.com" or siteurl like "admin-extranet-reservationsexp.com" or url like "admin-extranet-reservationsexp.com" or domainname like "https://seedsuccesspath.com/6m8a" or siteurl like "https://seedsuccesspath.com/6m8a" or url like "https://seedsuccesspath.com/6m8a" or domainname like "breserve-custommessagehelp.com" or siteurl like "breserve-custommessagehelp.com" or url like "breserve-custommessagehelp.com" or domainname like "admin-extranetmnxz-captcha.com" or siteurl like "admin-extranetmnxz-captcha.com" or url like "admin-extranetmnxz-captcha.com" or domainname like "booking-aprilreviewstir-9650233.com" or siteurl like "booking-aprilreviewstir-9650233.com" or url like "booking-aprilreviewstir-9650233.com" or domainname like "https://cquopymaiqna.com/bomla" or siteurl like "https://cquopymaiqna.com/bomla" or url like "https://cquopymaiqna.com/bomla" or domainname like "https://byliljedahl.com/8anf" or siteurl like "https://byliljedahl.com/8anf" or url like "https://byliljedahl.com/8anf" or domainname like "https://hareandhosta.com/95xh" or siteurl like "https://hareandhosta.com/95xh" or url like "https://hareandhosta.com/95xh" or domainname like "https://verifyguest02667-booking.com/17149438" or siteurl like "https://verifyguest02667-booking.com/17149438" or url like "https://verifyguest02667-booking.com/17149438" or domainname like "guesting-servicesid91202.com" or siteurl like "guesting-servicesid91202.com" or url like "guesting-servicesid91202.com" or domainname like "admin-extranetmngrxz-captcha.com" or siteurl like "admin-extranetmngrxz-captcha.com" or url like "admin-extranetmngrxz-captcha.com" or domainname like "https://bkngssercise.com/bomla" or siteurl like "https://bkngssercise.com/bomla" or url like "https://bkngssercise.com/bomla" or domainname like "booking-agreementstatementapril0429.com" or siteurl like "booking-agreementstatementapril0429.com" or url like "booking-agreementstatementapril0429.com" or domainname like "https://homelycareinc.com/po7r" or siteurl like "https://homelycareinc.com/po7r" or url like "https://homelycareinc.com/po7r" or domainname like "https://headkickscountry.com/lz1y" or siteurl like "https://headkickscountry.com/lz1y" or url like "https://headkickscountry.com/lz1y" or domainname like "booking-agreementaprilreviews042025.com" or siteurl like "booking-agreementaprilreviews042025.com" or url like "booking-agreementaprilreviews042025.com" or domainname like "admin-extranet-reservationsinfos.com" or siteurl like "admin-extranet-reservationsinfos.com" or url like "admin-extranet-reservationsinfos.com" or domainname like "booking-reservationsdetail-id0025911.com" or siteurl like "booking-reservationsdetail-id0025911.com" or url like "booking-reservationsdetail-id0025911.com" or domainname like "https://ctrlcapaserc.com/loggqibkng" or siteurl like "https://ctrlcapaserc.com/loggqibkng" or url like "https://ctrlcapaserc.com/loggqibkng" or domainname like "bknqsercise.com" or siteurl like "bknqsercise.com" or url like "bknqsercise.com" or domainname like "booking-confviewdocum-0079495902.com" or siteurl like "booking-confviewdocum-0079495902.com" or url like "booking-confviewdocum-0079495902.com" or domainname like "https://cardverify0006-booking.com/37858999" or siteurl like "https://cardverify0006-booking.com/37858999" or url like "https://cardverify0006-booking.com/37858999"

    Detection Query 2 :

    domainname like "booking-viewdocdetails-0975031.com" or siteurl like "booking-viewdocdetails-0975031.com" or url like "booking-viewdocdetails-0975031.com" or domainname like "admin-extranetrservq-cstmrq.com" or siteurl like "admin-extranetrservq-cstmrq.com" or url like "admin-extranetrservq-cstmrq.com" or domainname like "https://brownsugarcheesecakebar.com/ajm4" or siteurl like "https://brownsugarcheesecakebar.com/ajm4" or url like "https://brownsugarcheesecakebar.com/ajm4" or domainname like "whooamisercisea.com" or siteurl like "whooamisercisea.com" or url like "whooamisercisea.com" or domainname like "https://bkngpropadm.com/bomla" or siteurl like "https://bkngpropadm.com/bomla" or url like "https://bkngpropadm.com/bomla" or domainname like "booking-visitorviewdetails-64464043.com" or siteurl like "booking-visitorviewdetails-64464043.com" or url like "booking-visitorviewdetails-64464043.com" or domainname like "bookingadmin-updateofmay2705.com" or siteurl like "bookingadmin-updateofmay2705.com" or url like "bookingadmin-updateofmay2705.com" or domainname like "https://customvanityco.com/izsb" or siteurl like "https://customvanityco.com/izsb" or url like "https://customvanityco.com/izsb" or domainname like "comsquery.com" or siteurl like "comsquery.com" or url like "comsquery.com" or domainname like "https://jamerimprovementsllc.com/ao9o" or siteurl like "https://jamerimprovementsllc.com/ao9o" or url like "https://jamerimprovementsllc.com/ao9o" or domainname like "reserv-captchaapril04152025.com" or siteurl like "reserv-captchaapril04152025.com" or url like "reserv-captchaapril04152025.com" or domainname like "https://activatecapagm.com/j8r3" or siteurl like "https://activatecapagm.com/j8r3" or url like "https://activatecapagm.com/j8r3" or domainname like "https://confirmation887-booking.com/17149438" or siteurl like "https://confirmation887-booking.com/17149438" or url like "https://confirmation887-booking.com/17149438" or domainname like "confvisitor-doc.com" or siteurl like "confvisitor-doc.com" or url like "confvisitor-doc.com" or domainname like "booking-reservationinfosid0251358.com" or siteurl like "booking-reservationinfosid0251358.com" or url like "booking-reservationinfosid0251358.com" or domainname like "ctrlcapaserc.com" or siteurl like "ctrlcapaserc.com" or url like "ctrlcapaserc.com" or domainname like "https://zenavuurwerkofficial.com/62is" or siteurl like "https://zenavuurwerkofficial.com/62is" or domainname like "https://byliljedahl.com/lv6q" or siteurl like "https://byliljedahl.com/lv6q" or url like "https://byliljedahl.com/lv6q" or domainname like "https://ctrlcapaserc.com/bomla" or siteurl like "https://ctrlcapaserc.com/bomla" or url like "https://ctrlcapaserc.com/bomla" or domainname like "https://emprotel.net.bo/updserc.zip" or siteurl like "https://emprotel.net.bo/updserc.zip" or url like "https://emprotel.net.bo/updserc.zip" or domainname like "https://cabinetifc.com/upseisser.zip" or siteurl like "https://cabinetifc.com/upseisser.zip" or url like "https://cabinetifc.com/upseisser.zip" or domainname like "https://guest03442-booking.com/17149438" or siteurl like "https://guest03442-booking.com/17149438" or url "https://guest03442-booking.com/17149438" or domainname like "whooamisercise.com" or siteurl like "whooamisercise.com" or url like "whooamisercise.com" or domainname like "aidaqosmaioa.com" or siteurl like "aidaqosmaioa.com" or url like "aidaqosmaioa.com" or domainname like "cquopymaiqna.com" or siteurl like "cquopymaiqna.com" or url like "cquopymaiqna.com" or domainname like "contmasqueis.com" or siteurl like "contmasqueis.com" or url like "contmasqueis.com" or domainname like "caspqisoals.com" or siteurl like "caspqisoals.com" or url like "caspqisoals.com" or domainname like "admin-extranetadmns-captcha.com" or siteurl like "admin-extranetadmns-captcha.com" or url like "admin-extranetadmns-captcha.com" or domainname like "extranet-admin-reservationssept.com" or siteurl like "extranet-admin-reservationssept.com" or url like "extranet-admin-reservationssept.com" or domainname like "bookreservfadrwer-customer.com" or siteurl like "bookreservfadrwer-customer.com" or url like "bookreservfadrwer-customer.com" or domainname like "guestinfo-aboutstay1205.com" or siteurl like "guestinfo-aboutstay1205.com" or url like "guestinfo-aboutstay1205.com" or domainname like "confsvisitor-missing-items.com" or siteurl like "confsvisitor-missing-items.com" or url like "confsvisitor-missing-items.com" or domainname like "booking-agreementstatementapril0225.com" or siteurl like "booking-agreementstatementapril0225.com" or url like "booking-agreementstatementapril0225.com" or domainname like "api-notification-centeriones.com" or siteurl like "api-notification-centeriones.com" or url like "api-notification-centeriones.com" or domainname like "booking-reviewsguestpriv-10101960546.com" or siteurl like "booking-reviewsguestpriv-10101960546.com" or url like "booking-reviewsguestpriv-10101960546.com" or domainname like "sqwqwasresbkng.com" or siteurl like "sqwqwasresbkng.com" or url like "sqwqwasresbkng.com"

    Detection Query 3 :

    dstipaddress IN ("77.83.207.106","85.208.84.94") or srcipaddress IN ("77.83.207.106","85.208.84.94")

    Detection Query 4 :

    sha256hash IN ("5301f5a3fb8649edb0a5768661d197f872d40cfe7b8252d482827ea27077c1ec","64838e0a3e2711b62c4f0d2db5a26396ac7964e31500dbb8e8b1049495b5d1f3","703355e8e93f30df19f7f7b8800bd623f1aee1f020c43a4a1e11e121c53b5dd1")

    Reference:

    https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/#


    Tags

    MalwareInfostealerPhishingHealthcare and Public HealthExploitWhatsappBooking.comcredential stealersI Paid TwiceClickFixSocial EngineeringExpedia

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.