(netcraft.com) Exploitation of Webflow Platform for Large-Scale Booking.com Brand Impersonation and SEO Poisoning
-
(netcraft.com) Exploitation of Webflow Platform for Large-Scale Booking.com Brand Impersonation and SEO Poisoning
Threat actors are abusing Webflow’s platform to host large-scale Booking.com brand impersonation via SEO poisoning, leveraging HTTPS-enabled lookalike subdomains for credibility.
In brief - Cybercriminals exploit Webflow’s infrastructure to deploy fraudulent Booking.com lookalikes, using keyword-stuffed subdomains (e.g., bookinggcomdubaflighttickets[.]webflow[.]io) and static image-based pages to manipulate search rankings. The campaign targets high-intent travel queries, particularly Dubai-related, during peak seasons, eroding user trust and brand integrity.
Technically - The operation combines visual mimicry with SEO poisoning, embedding keyword-dense HTML to deceive search engines while presenting static, full-page replicas of Booking.com. Subdomains feature deliberate misspellings and travel-related terms to capture organic traffic. The abuse of Webflow’s HTTPS certificates complicates detection, while the scalable infrastructure suggests potential redirection to credential harvesting or monetization endpoints. Monitor for lookalike domains and seasonal keyword trends.
Source: https://www.netcraft.com/blog/booking-dot-com-lookalike-pages-hosted-on-webflow-subdomains
-
R relay@relay.infosec.exchange shared this topic
