TR-99 - Phishing Campaign Targeting Hotel Customers in Luxembourg

TR-99 - Phishing Campaign Targeting Hotel Customers in Luxembourg

Back to Publications and Presentations

  1. Executive Summary
  2. Observed Activity
  3. Impact
  4. Recommendations for Hotel Owners and Operators Using myLighthouse
  5. Recommendations for Victims and Hotel Customers
  6. Reporting Phishing URLs to CIRCL
  7. Indicators of Compromise
  8. Conclusion
  9. Classification of this document
  10. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Executive Summary

CIRCL and Horesca have been informed of a phishing campaign targeting customers of hotels in Luxembourg. A significant number of hotel guests have received fraudulent messages through different communication channels, including WhatsApp messages containing malicious URLs.

The phishing messages are particularly convincing because they include information related to legitimate hotel bookings. This increases the likelihood that victims will trust the message and engage with the fraudulent website or communication channel.

The apparent objective of the campaign is to trick hotel customers into making payments to an actor-controlled account or payment infrastructure.

Observed Activity

Victims have reported receiving messages that appear to reference real hotel reservations. These messages may include booking-related information that is accurate or sufficiently close to a legitimate reservation to appear trustworthy.

The phishing messages typically contain a URL and encourage the recipient to take action, such as confirming a reservation, updating payment details, or completing a payment.

At this stage, CIRCL assesses that the information used in the phishing messages may originate from data associated with services operated by myLighthouse, a platform used in the hotel and hospitality sector.

The exact origin of the data exposure is currently unclear. Possible scenarios include, but are not limited to:

  • a vulnerability affecting a service or integration;
  • abuse or compromise of one or more hotel accounts;
  • unauthorised access to or exfiltration of booking-related data;
  • misuse of legitimate access to hotel or booking-management systems.

The investigation by Lighthouse has not yet clearly established the precise source of the data used in the phishing campaign.

Impact

The campaign may affect hotel customers who have made legitimate bookings in Luxembourg (not limited) and who receive fraudulent communications referencing those bookings.

Potential impacts include:

  • financial loss due to fraudulent payments;
  • disclosure of personal or payment-related information;
  • loss of trust in hotel communication channels;
  • increased workload for hotels, financial institutions, and incident response teams.

Recommendations for Hotel Owners and Operators Using myLighthouse

CIRCL recommends that hotels using myLighthouse take the following actions as a priority:

  1. Reset credentials
    • Reset passwords for all accounts associated with myLighthouse.
    • Ensure that passwords are unique and not reused across other services.
  2. Enable and enforce multi-factor authentication
    • Enable MFA for all accounts where available.
    • Lighthouse has announced enforcement of MFA as of 1 June.
    • Hotels should verify that MFA is active for all relevant users and accounts.
  3. Review account access
    • Review active users and remove accounts that are no longer required.
    • Check whether any unexpected or unauthorised accounts have access.
    • Review access rights and apply the principle of least privilege.
  4. Inform customers about legitimate payment procedures
    • Clearly communicate the official payment methods used by the hotel.
    • Remind customers that unexpected payment requests received through WhatsApp, SMS, or unofficial channels should be treated with suspicion.
    • Provide customers with a trusted contact point to verify payment requests.
  5. Monitor for suspicious activity
    • Monitor customer reports of phishing attempts.
    • Review logs, where available, for unusual access patterns.
    • Report suspicious URLs and related indicators to CIRCL.

Recommendations for Victims and Hotel Customers

If you receive a message via WhatsApp, SMS, email, or another channel that refers to your hotel booking and asks you to click a link or make a payment, CIRCL recommends the following:

  1. Do not click on the URL
    • Do not open links contained in suspicious or unexpected messages.
    • Do not enter personal, booking, or payment information on websites reached through such links.
  2. Verify directly with the hotel
    • Contact the hotel using contact details obtained from the official hotel website or your original booking confirmation.
    • Do not rely on phone numbers, links, or contact details provided in the suspicious message.
  3. If you interacted with the phishing site
    • Contact your bank or financial provider immediately.
    • Notify them that you may have been targeted by payment fraud.
    • Follow their instructions regarding card blocking, transaction monitoring, or chargeback procedures.
    • Notify the policy if you want to fill a complain.
  4. Preserve evidence
    • Keep the suspicious message, phone number, URL, screenshots, and any payment details.
    • These elements can help incident responders and service providers limit the impact of the campaign.

Reporting Phishing URLs to CIRCL

CIRCL welcomes reports from users, victims, hotels, and service providers.

Phishing URLs can be submitted to Lookyloo at https://lookyloo.circl.lu/capture

When submitting a URL, please mark the capture as phishing. This helps CIRCL and partners analyse the infrastructure, identify related campaigns, and support takedown or mitigation actions to reduce the impact on victims.

Indicators of Compromise

Indicators may vary depending on the hotel, the communication channel, and the infrastructure used by the threat actor.

A MISP event https://misppriv.circl.lu/events/view/10a94632-a0a1-4062-a3a5-95fe321ae045 is available with all the indicators collected from the reported cases.

The threat actor appears to rotate phishing URLs frequently and also changes the phone numbers used to send WhatsApp messages, making static blocking and indicator-based detection more difficult.

Hotels and victims are encouraged to report phishing URLs and related artefacts to CIRCL for analysis.

Conclusion

This phishing campaign is notable because it uses legitimate booking-related information to increase credibility and pressure victims into making fraudulent payments.

Hotels using myLighthouse should urgently reset credentials, ensure MFA is enabled and enforced, review access rights, and communicate clearly with customers about legitimate payment methods.

Customers who receive suspicious booking-related messages should not click on links, should verify requests directly with the hotel, and should contact their financial provider immediately if they engaged with the phishing site or made a payment.

CIRCL continues to collect reports and encourages the submission of phishing URLs through Lookyloo to support analysis and mitigation.

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:CLEAR - First version - 1st June 2026