Picture this: you find a travel booking site for your dream break, proceed to the payment page, enter your card details—and you think all is well. But in reality you’ve landed on a counterfeit site designed purely to harvest payment information. In 2025 a Russian-speaking threat actor registered more than 4,300 fake travel-related domains to impersonate well-known booking platforms and hotel brands, specifically targeting guests and travellers.
Of those domains, hundreds used names containing the word “Booking”, some used “Expedia”, “Agoda” or “Airbnb” to mimic major travel names and trick visitors into a false sense of trust.
This is no small-scale phishing stunt; this is large-scale, automated, monetised fraud. The campaign organisers appear to have been building a massive network of look-alike sites, registering domains en-mass since early in the year.
What the victims saw was a familiar scenario: an email claiming to confirm a hotel reservation, or asking them to finalise a booking. The link in the email leads through one or more redirects to a domain which looks very much like the legitimate site they expect—complete with hotel imagery, booking confirmation pages and payment prompts.
Once there, the user is asked to enter their card number, expiry date, CVV and possibly other personal details. These details end up in the hands of the fraudsters. Meanwhile the website infrastructure is designed to avoid easy detection: domains follow naming patterns like “confirmation”, “reservation”, “guest-check”, the pages support dozens of languages, and the user is unaware they are on a fake site.
The hospitality sector is a particularly attractive target. Many travellers are time-sensitive, assume a site is safe, and may not closely inspect the URL or certificate when they just want to secure their booking. And that exactly is what the attackers exploit.
What elevates this assault into something truly alarming is the role of artificial intelligence. Where once scams were constrained by limited resources and manual effort, now AI tools enable operators to spin up dozens or hundreds of convincing fake sites, tailor them with branded visuals, generate text, fabricate realistic reviews, even personalise language and adjust content based on the visitor’s location.
Instead of one crude clone of a travel site, there might be many clones, each optimised and adapted, operating in parallel. That rapid production, combined with automation, means more volume and greater sophistication. The scammers no longer need deep web-development skill sets: they just need AI tooling, domain registration, hosting and payment capture. The result: more clones, faster time to deployment, and greater evasion of traditional detection.
In short, AI has lowered the bar for launching large-scale campaigns and increased the risk for both brands and customers.
This threat demonstrates clearly why external attack surface management (EASM) matters. Organisations often focus on securing their internal networks, firewalls and endpoints—but what about the assets operating outside those perimeter walls? The domains, sub-domains, externally-hosted booking pages, impersonator websites, clones running on unmonitored infrastructure: those are all part of your external attack surface.
DarkInvader’s EASM platform offers visibility into that surface. It scans domain registrations, identifies look-alike domains, checks for brand impersonations, monitors externally-hosted infrastructures and flags potential fake websites pretending to operate under your name. When you face the threat of thousands of fake travel sites targeting your brand or customers, that visibility becomes essential.
Fake websites are a textbook example of external risk: they impersonate your brand, exploit your customers, but are outside your direct control. Detecting those impostor sites early—before payment data is lost, before brand trust is eroded—is business-critical. With EASM and DarkInvader’s capabilities you can proactively identify clones, monitor suspicious registrations and shut down threats before damage occurs.
If you are a traveller you might assume any site that looks like a trusted booking portal must be safe—but that assumption is increasingly dangerous. Taking just an extra moment to verify the URL, check the site certificate, search independently for the booking brand, can save you from falling into a trap. Be especially wary if you arrive via an unexpected email link or an ad that feels time-pressured.
If you run a business in travel, hospitality or any industry that handles payments you have more at stake. Your brand is being impersonated, your customers targeted, your reputation under threat. Even if you didn’t build the fake site, it exploits your name and your customer trust. That means you need to monitor your external brand presence, detect clones and impostors, and treat your external attack surface with the same urgency as your internal network.
The campaign uncovering over 4,300 fake travel-booking domains is a stark warning. The fraudsters are scaling, automating and leveraging AI to exploit trust at scale. The concept of an attack surface that goes beyond your firewall is no longer theoretical—it is the frontline of defence. Through an EASM platform like DarkInvader’s you gain the ability to see what’s lurking outside, detect pretend websites posing as you, and protect both your customers and your brand. Awareness, proactive monitoring and swift action are the keys.
Unlock continuous, real-time security monitoring with DarkInsight. Sign up for your free account today and start protecting your external attack surface from potential threats.
Create My Free Account
DarkInvader, Calls Wharf, 2 The Calls, Leeds, LS2 7JU ©2024 DarkInvader, All Rights Reserved
