惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
CXSECURITY Database RSS Feed - CXSecurity.com
L
LINUX DO - 热门话题
S
Secure Thoughts
TaoSecurity Blog
TaoSecurity Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Threat Research - Cisco Blogs
AI
AI
B
Blog RSS Feed
S
Schneier on Security
雷峰网
雷峰网
Schneier on Security
Schneier on Security
Help Net Security
Help Net Security
Cloudbric
Cloudbric
L
LINUX DO - 最新话题
罗磊的独立博客
有赞技术团队
有赞技术团队
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Apple Machine Learning Research
Apple Machine Learning Research
P
Proofpoint News Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
The Hacker News
The Hacker News
博客园 - Franky
Attack and Defense Labs
Attack and Defense Labs
The Cloudflare Blog
Webroot Blog
Webroot Blog
Last Week in AI
Last Week in AI
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - 叶小钗
美团技术团队
L
Lohrmann on Cybersecurity
T
The Blog of Author Tim Ferriss
The Last Watchdog
The Last Watchdog
T
Troy Hunt's Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Vercel News
Vercel News
Know Your Adversary
Know Your Adversary
O
OpenAI News
博客园 - 【当耐特】
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
Cybersecurity and Infrastructure Security Agency CISA
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
PCI Perspectives
PCI Perspectives
H
Heimdal Security Blog
I
InfoQ
GbyAI
GbyAI
T
Threatpost
C
Cisco Blogs

Okta Security RSS Feed

OpenSSL HollowByte: A DoS Hiding in 11 Bytes Datadog and Okta Combine for New Customer Detections Detecting OpenClaw at Sign-In Okta Hardening Guide Updated to Secure Non-Human Identities Okta Pooled Security Audits: a One-Year Retrospective Account Recovery, without Password Resets Okta’s Response to React2Shell Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework Using Auth0 Logs for Proactive Threat Detection Controlling Cross-App Data Sprawl in Google Workspace How this ClickFix campaign leads to Redline Stealer Paving the Path: Pooled Audits with Okta Security Building Confidence in Support Comms with Caller Verify at Okta Enabling ISO/IEC 27001:2022 Compliance with Okta Okta’s Secure by Design Pledge - One Year On Leveraging Okta System Logs for Proactive Threat Detection Enhancing Customer Trust Through a Comprehensive Audit Program Okta's new Security Technical Implementation Guide (STIG) A Guide to DORA Compliance with Okta How AI services power the DPRK’s IT contracting scams Detect and Prevent Cross Device Authentication How Responsible Disclosures are Shaping a Safer Cyberspace Cybersecurity’s Next Gen Next.js CVE-2025-29927 CSO Conversations: Matthew Hansen, Regional CSO of Americas West Empowering Security with Customer Trust Solutions Putting Security First with Secure Development One trick finds the root of any Okta troubles CSO Conversations: Stephen McDermid, Regional CSO of EMEA Content-Security-Policy in a Complex Environment CSO Conversations: Keiko Itakura, Regional CSO of Japan How Okta Embraces Identity Verification Using Persona CSO Conversations: Matt Immler, Regional CSO of Americas East Raising the Bar for our Industry with IPSIE Cyber-Safety over the Holidays Okta Social Engineering Impersonation Report - Response and Recommendation Five Reasons to Upgrade your Org to Okta Identity Engine Okta’s Ongoing Commitment to Secure By Design Unveiling the Essence of the Security Customer Trust Function Security Education Through the Art of Storytelling Seven Ways to Reduce Super Admins in Okta The Case for Zero Standing Privileges FastPass: The battle-hardened authenticator Detecting Cross-Origin Authentication Credential Stuffing Attacks How to Block Anonymizing Services using Okta Why Cyber-heroes need a Zero Trust CAEP! Okta Verify Vulnerability Disclosure Report - Response and Remediation Defensive Domain Registration is a Mug’s Game Protecting Administrative Sessions in Okta How to Secure the SaaS Apps of the Future Okta October 2023 Security Incident Investigation Closure October Customer Support Security Incident - Update and Recommended Actions Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation Tracking Unauthorized Access to Okta's Support System Go “Secure by Default” With Custom Admin Roles for IT support staff Cross-Tenant Impersonation: Prevention and Detection BYO Telephony and the future of SMS at Okta Saying “No Thanks” to nOAuth Telling More Okta Detection Stories with Google Chronicle An Unexpected Endorsement for WebAuthn Social Engineering is Getting More Extreme, but the Fixes Can Be Simple Study up on Okta Logs for Splunk’s Boss of the SOC! Keeping Phishing Adversaries Out of the Middle Using Workflows to Respond to Anomalous Push Requests Okta and Splunk Combine to Detect Common Attacks Setting the Right Levels of Assurance for Zero Trust Catch-All's and Canary Rules User Sign-in and Recovery Events in the Okta System Log Okta Code Repositories Detecting Real-Time Phishing Attacks Detecting Real-Time Phishing Attacks Okta’s Response to OpenSSL Security Update Monitoring for Abuse of Administrative Privileges System Log: a Window into Supporting the Okta Cloud The Human Factor in Phishing Resistance Auth0 Code Repository Archives From 2020 and Earlier Phishing Resistance and Why it Matters Detecting Scatter Swine: Insights into a Relentless Phishing Campaign Defending against Session Hijacking Unlocking the Mystery of 700+ Okta System Log Events Official Okta Statement on LAPSUS$ Claims Protection, without perimeters We (still) need to talk about RDP Just How Risky is Legacy Authentication?
Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign
Daniel López · 2025-08-29 · via Okta Security RSS Feed

Okta Threat Intelligence is tracking a large-scale phishing campaign that has impersonated at least a dozen service providers that specialize in hotels and vacation rentals. 

In these attacks, targeted users are lured to highly deceptive phishing sites using malicious search engine advertisements, particularly sponsored ads on platforms like Google Search. The attacks leverage convincing fake login pages and social engineering tactics to bypass security controls and exploit user trust. 

We observed at least thirteen hospitality companies impersonated with these lures.

Based on the targeting and nature of the phishing lures, the campaign appears designed to compromise accounts for cloud-based property management and guest messaging platforms.

Initial Access

We observed campaigns in which malvertising - the purchase of malicious search engine advertisements – was used to lure unsuspecting users of the impersonated hospitality or vacation rental company.

For instance, a search query for the name of one of these companies might display a number of sponsored ads that direct users to a malicious site:

Figure 1. Example of malvertising showing two fake websites promoted above a legitimate domain

Figure 2. Example of malvertising directing users to another phishing site

Observed domains used a typosquatting variation of the legitimate website.

A user that navigates to one of these malicious domains is presented a fake login page. We observed a large number of phishing sites that impersonated at least thirteen hospitality companies.

Figure 3. Oracle Hospitality was one of numerous service providers impersonated

Based on the targeting and nature of the phishing lures, the campaign appears designed to compromise accounts for cloud-based property management and guest messaging platforms.

Tactics, Techniques and Procedures

The objective of the first stage of the campaign is credential harvesting. The phishing pages were configured to capture usernames, email addresses, phone numbers and passwords. 

The observed activity demonstrates an intent to bypass or capture multi-factor authentication (MFA) codes. For instance, some phishing pages explicitly prompt for "One time password" or offer "Sign in with SMS Code" and "Email Code" options.

Figure 4. Screenshot of a phishing website impersonating Airbnb

Figure 5. Once a phone number is entered,  the phishing page prompts for OTP codes sent via SMS

Inspecting the source code of these websites, we can observe the following text:

<script>
    function sendRequest() {
        fetch("/mksd95jld43").catch(error => console.error("Ошибка запроса:", error));
    }
    // Запускаем запрос каждые 10 секунд
    setInterval(sendRequest, 10000);
</script>

The error message “Ошибка запроса” (“Request error”) and comment “Запускаем запрос каждые 10 секунд” (“We start the request every 10 seconds”) suggest the possibility of Russian-speaking actors behind this campaign. The campaign also employed a large Russian datacenter proxy provider during attacker sign-in activity.

The campaign also employs a beaconing technique for tracking and analytics. This allows the attacker to gather valuable real-time information about the victims who have landed on the phishing page, including: 

  • Visitor Analytics

  • Geolocation & Targeting

  • Session Duration

  • Bot Detection

  • Status Monitoring

Okta customers can access a detailed set of indicators of compromise by selecting Okta Threat Intelligence at security.okta.com.

Mitigating Controls

  • Enrol customers and partners in the strongest available authenticator, prioritising possession factors like passkeys to introduce phishing resistance while minimizing user friction. Enroll workforce users in strong authenticators such as Okta FastPass, passkeys (FIDO2 WebAuthn) and smart cards and enforce phishing resistance in policy. 

  • Deny or require higher assurance for requests from rarely-used networks. 

  • Identify and automate responses to requests for access to applications that deviate from previously established patterns of user activity using adaptive risk assessments.

  • Monitor suspicious domain registrations to observe any changes in the content served up to users. Review application logs for any evidence of communication with suspicious domains. If content hosted on the domain violates copyright or legal marks, consider providing evidence and issuing a takedown request with the domain registrar and/or web hosting provider.

  • Warn users when malvertising and phishing campaigns appear to be targeting your brand.

  • Notify end users if suspicious activity is observed on their account.

Moussa Diallo contributed to this research.

Daniel López is a Cyber Threat Researcher at Okta, where he focuses on tracking threat actor activity and the evolving threat landscape to best protect Okta’s employees and customers. Prior to joining Okta, Daniel worked at international companies across the consulting, financial services, and technology sectors. He enjoys participating in trusted infosec groups, continuously learning (both tech and non-tech topics), and staying physically active.