️ 
We’re seeing an ongoing phishing campaign targeting hotels and hosts, impersonating messages from 'Booking.com' - see sample image below.
Here’s what we know so far:
️ Emails appear to target actual 'Booking.com' host email addresses, which may indicate that recipient data was obtained from a previous breach - the timing is particularly relevant given the 'Booking.com' data breach last month (see article - https://www.bbc.co.uk/news/articles/cly00jnnxypo).
️ While the emails appear to come from 'Booking.com', they are actually sent via compromised accounts.
️ Messages typically reference a “complaint” or “special request” requiring urgent action.
️ Links often use URL shorteners or services like 'share.google' to hide phishing pages
️ Goal is to steal login credentials or payment details through fake portals
These phishing emails are very convincing, so extra caution is prudent - here are some steps you can take to reduce risk:
Be cautious of urgency or pressure in booking-related emails Avoid clicking shortened or unfamiliar links Verify requests by logging into the platform directly Report suspicious emails internally or to the platform provider
Galeon LLC (AS211663) and aforementioned UFO TECHNOLOGIES LIMITED (AS201738) to this threat actor. Both networks trace back to St. Petersburg, Russia (and are included in our DROP and ASN-DROP lists). 
️
UK-based shell corporation utilized for nefarious purposes: UFO TECHNOLOGIES LIMITED, registered to the pictured address in Ipswich (which houses a co-working space) in February. Its director, 
victims came under siege from a botnet spam campaign advertising erectile dysfunction medication to them. 
Chinese ISPs, causing a +268% XBL listing increase at China Mobile Communications Corporation's networks in particular, pushing this ISP to rank #1 of our top 10: 
turkcell[.]com[.]tr's networks.
️ increase,