Fake Travel Reservation Links Target Weary Travelers

A wave of phishing campaigns masquerading as airline and hotel reservation confirmations is compounding the frustration of travelers already grappling with cancellations and overbookings. According to researchers at Proofpoint, the operation—dubbed “TravelSwipe”—has flooded inboxes with emails that appear to come from major carriers such as United Airlines, Delta Air Lines, and Marriott, delivering a convincing “View Trip Details” link. In a two‑week snapshot, the team catalogued more than 12,000 unique malicious URLs, many of which leveraged typosquatting on popular travel‑booking domains to increase their likelihood of being clicked.

The phishing kit behind TravelSwipe is technically sophisticated. When a victim clicks the link, they are redirected to a realistic‑looking booking portal that captures login credentials and credit‑card information via a hidden HTML form posting to an attacker‑controlled server hosted on a bulletproof hosting provider in Eastern Europe. The landing page also injects an obfuscated JavaScript keylogger that records keystrokes in real time and a secondary payload that drops the RevengeRAT backdoor. Proofpoint’s analysis shows that the RAT communicates with a command‑and‑control (C2) server located in Russia, where stolen data is exfiltrated in encrypted packets to evade network detection.

In addition to credential theft, the campaign exploits a known cross‑site scripting (XSS) vulnerability (CVE‑2023‑4481) in the widely‑used travel‑management platform SAP Concur. By chaining the XSS flaw with the phishing lure, attackers can harvest session tokens from corporate travel portals, granting them lateral movement within enterprise environments. Indicators of compromise (IOCs) released by the research team include the malicious domains travel‑confrm[.]com, flight‑secure‑verify[.]net, and the associated IP address 185.220.101.47, which has been linked to prior ransomware operations.

Organizations and travelers are advised to verify the sender’s domain, hover‑over links before clicking, and ensure that multi‑factor authentication (MFA) is enabled on all travel‑booking accounts. Security teams should also block the reported IOCs, patch the SAP Concur vulnerability, and reinforce phishing‑awareness training to mitigate the risk of credential harvesting. As travel demand rebounds, threat actors are likely to refine these techniques, making vigilant cyber‑hygiene essential for anyone relying on digital reservation systems.