Threats on the Move: Exploring The World of OTA Scams

Leaving the excitement of the winter holidays behind, the turn of the new year often induces a spike in would-be travelers rushing to their favorite online travel platforms to plan their next adventure. As the annual travel booking burst, or “wave season” begins in January, bucket list experiences are planned by taking advantage of incredible deals offered by online travel agencies (OTAs). In case you aren’t familiar with the term, “OTA” is the abbreviation for “Online Travel Agency” and refers to travel companies that aggregate and sell travel products, services and packages online. Commonly-known OTAs include well-known brands such as booking.com, Expedia, Tripadvisor, Agoda, Airbnb, Hotels.com, etc.

Unfortunately, this surge in travel planning also attracts cybercriminals, who actively explore various opportunities to conduct phishing attacks and other scams. It is becoming increasingly critical that OTAs and other travel vendors do more to protect their customers from these external threats.

The threat research team at BforeAI recently uncovered almost 5300 domains registered in December 2024 alone, just on the brink of the peak travel planning season. These domains leverage popular industry keywords, and alarmingly, 15 top OTAs, travel aggregators, and hospitality industry giants were found to be among those being impersonated.

Suggestive top level domains (TLDs) were used to convince users they are aligned with OTAs. For example, domains with “.shop” could be used to promote travel packages, or “.today” might pressure victims into buying a time-sensitive deal. Other less frequent, yet very well known for malicious activities are “.xyz,” “.vip,” “.bond,”, “.ee,” were less common than others.

While there are many unique travel scams, there are some “tried and true” tactics malicious actors use to get their hands on consumers’ travel funds. Let’s take a look at some of the common (and a couple emerging) ones our team observed in December 2024.

Travel refund scams

An emerging and concerning trend related to the OTA industry comes in the form of fraudulent travel refunds. In these scams, victims are redirected to suspicious cryptocurrency wallets to gain their travel refund. By following the refund steps, the victim could potentially end up having their device and personal identity compromised in the process. Registering an account on unverified websites and crypto wallet platforms such as these could put a customer at risk of personal and financial data theft.

Fake property listings

Take the example below (Figure 1), the gentleman spent $4000 USD on a vacation rental only to discover the whole thing was a scam and the property didn’t even exist. Such incidents are frequent on both vacation rental sites and with some hotel aggregators, highlighting the lack of stringent verification of property listings. This leads to an uptick in too-good-to-be-true deals. Sourcing property images from the Internet and posting them on popular accommodation booking websites while pretending to be the owner, is an incredibly common tactic to leverage to commit travel-based financial fraud. Sometimes the listing images are also enhanced with artificial intelligence and catchy descriptions.

Figure 1: A man’s $4,000 loss after booking through a legitimate hotel reservation site, highlighting the risk of scams even on trusted platforms.

In another example (Figure 2), a malicious website lured victims by offering a Netflix subscription and free wifi for bookings made through their website. This tactic is particularly effective for scamming people who might be willing to look to lesser-known, unverified platforms in search of added “perks”. Additionally, a surge was observed in domains registered in a recurring pattern, for example, “hotelbookings” followed by a string of numbers, indicating the growing use of Domain Generation Algorithms (DGA) to generate a vast set of domain names.

Figure 2: Hotel booking sites offering lucrative “perks” to book through their website.

While analyzing a series of domains, some websites were found to utilize the names of popular OTAs or hotel chains in conjunction with a specific region name. This highlights a targeted strategy likely aimed at both people who want to visit that specific destination in the coming travel season or local people from that region seeking travel deals.

There’s a constant flow of new, seemingly legitimate websites pretending to be (“spoofing”) booking platforms to fool unsuspecting travel shoppers. While not always malicious, they often display ”red flags” in terms of website continuity, broken links, suspicious listings, and buggy features, making them untrustworthy.

Account takeovers for stolen data

Given the rise of OTA scams during the travel booking season, some tactics were noted in which the goal is to widen the potential target base. For example, websites claiming to offer “Spacious and Nice Apartments,” were actually hosting phishing kits, intended to harvest user data.

Some domains (see Figure 3 as an example) incorporate keywords like “makemoney” with “airbnb”, suggesting a move to target people interested in generating income through Airbnb, rather than the traveler occupants. This brings into focus the evolving nature of these scams, which are no longer limited to travel enthusiasts but now also exploit individuals seeking to generate revenue online through popular travel platforms.

Figure 3: Potentially malicious website under constructing offering lures for people interested in making business with Airbnb.

Too-good-to-be-true deals

The oncoming travel season produces a spike in social media advertisements and profiles targeting users with “too good to be true” deals on flights, lodging, hotels, and vacation packages (Figure 4). Engaging with such posts and profiles could lead potential victims to fraudulent travel packages.

Figure 4: Too good to be true deals, such as deals at half prices, is a popular lure for travel based scams.

To claim a fake “deal” like the one described above, victims are asked to perform certain tasks such as dropping reviews, make partial payments, register on questionable websites, download malicious applications, or enter to win lucky draw scams.

Some campaigns within these categories may involve an escalating process, leading to a chain of events in which money, personal data, or financial information could be requested in gradual steps if the victim passes one step and still seems to be interested, they move on to the next. This layered approach helps cybercriminals to detect and filter out which people are becoming suspicious of the scam in its early stages.

On the other hand, these cybercriminals can extract partial or “one-off” data by using terms such as “reserve now,” “pay later,”, “book today.” Such malicious tactics allow them to dynamically adjust the amount defrauded from victims based on website traffic and user engagement.

Betting scams

Several suspicious websites used keywords such as “agoda” (a popular OTA platform) to link with betting apps (see Figure 5). These websites were registered in bulk with a predictable naming pattern. This pattern allows victims to easily guess the next (alternate or replacement) website to visit, in case the current one is taken down or made unavailable. The method of bulk registering websites ensures the campaign’s continuity, leading to uninterrupted financial frauds.

Figure 5: Typosquatted domains of Agoda being used for betting websites, luring victims into financial losses.

Payment scams

Fake websites often host and encourage through unconventional or emerging payment options, such as bitcoin and other cryptocurrencies, increasing the risk of irreversible transactions. With the rise of peer-to-peer payment systems and increased adoption in the market, transactions through cryptocurrency and blockchains are involved in a large number of fraudulent transactions.

Fake partner scams

Our research also highlights a trend of OTA scams where smaller companies or newly created websites often falsely claim to be partners of well-known OTAs. Their content and design closely resembles the relevant OTA, in a way that visiting users may not be able to tell the difference.

These types of websites host fake packages by falsely associating themselves with a well-known name. Victims are more likely to book with the partner site, given the discounts and other enticing offers to lure them. What follows is a series of fake payment platforms, billing details, and harvested credit card information, leaving victims stranded without their intended travel experience!

Helpdesk scams

Customer service and help desk portals are essential for every customer servicing industry, including OTA platforms. They serve as a means for customers to raise travel or booking related inquiries. Most customer service portals use web forms, emails, or around-the-clock operational call centers, where customers are asked to verify their identity with sensitive information such as personally identifiable information (PII), booking details, payment card information, etc. This makes help desk portals a prime target for cybercriminals to leverage for phishing campaigns.

Prominent OTA keywords were used in one particular set of domains to imitate these companies’ helpdesks in several scams. However, when one visits the site, they quickly realize they lack any actual content, suggesting either a dormant campaign or a dynamic infrastructure designed to activate phishing pages only when significant traffic is detected. This approach is a common evasion tactic used by malicious actors to maintain a “low profile” by hosting irrelevant information and deploying phishing pages as needed. Notably, help desk-based phishing domains for at least three leading OTAs were registered in December of last year alone (see an unfinished example in Figure 6).

Figure 6: Website under construction attempting to impersonate Priceline’s helpdesk and support feature.

How consumers can book more safely with OTAs this travel season

Things can get a little tricky especially when the travel spirit rises. However, by understanding basic safety tips while dealing with OTA platforms, one can enjoy adventures without falling victims to scams.

It is recommended to book all your flights, accommodation, rentals, and combined packages exclusively from legitimate websites only. Trusting on any social media platform without less authenticity should be avoided. Never trust and click on sites that offer a “too good to be true” package, which hosts promotional gimmicks or lottery schemes.

In the era of advanced artificial intelligence (AI), some websites host the exact replica of legitimate sites that have fully functional features. It is essential to notice domain patterns to see signs of typosquatting, homograph IDNs, and avoid less popular top level domains.

It is essential to check the registration date of the domains. One of the indicators of a malicious domain is recent registrations, with no verified company registration details.

Travelers should also lookout for untrustworthy OTA companies “suddenly” emerging during the peak travel season. While these new entrants might offer discounted packages on tours, the whole adventure could be risky and unpleasant.

What can OTAs do to protect their customers?

Given the rising rates of travel-related scams, OTAs can no longer rely on merely protecting their networks and payment partners. OTAs and travel companies need to take a more proactive approach to securing external web properties, including preemptively disrupting and taking down malicious impostor sites, phishing campaigns, and scams using their brand and likenesses.

Selecting a solution that can monitor, predict, disrupt, and take down these campaigns before they launch is ideal. Scalability is also a major concern, as many malicious actors now utilize AI to build convincing web infrastructure quickly and easily. Using solutions that can match the pace of AI is critical.

In short, it can’t just be left for the customer to figure out. Most consumers do not have the expertise to identify these sophisticated threats. Customers stand to lose money and it will only leave the OTA to take the blame for not doing more.

Disembarking

Travel is a dream for many, and an enjoyable experience for most–but also needs to be dealt with caution in the coming times. The rise of artificial intelligence often facilitates exact lookalikes of legitimate sites, making it difficult for even tech savvy people to tell the difference. Ultimately, to ensure a memorable adventure, excise extreme caution by carrying most of your transactions from authorized partners and aggregators only. Avoid trusting everything on the internet and social media, which can save thousands of dollars by “not falling for the scam”. Safe travels!