ctipilot.ch

Booking.com-fed hotel phishing (CH)

incident · incident:ncsc-ch-booking-hotel-phishing-2026 single-source-national-cert

NCSC-CH: Booking.com breach data feeds WhatsApp hotel-booking phishing — TWINT/bank spoofing plus booking-channel account takeover.

Coverage timeline
2
first 2026-06-01 → last 2026-06-04
Peak priority
high
1 high · 1 notable
Sources cited
2
2 hosts
Sections touched
2
active-threats, weekly-incidents-recap
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
2
pinned v19.1 · see below
2026-06-012 appearances2026-06-04

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1078.004Valid Accounts: Cloud Accounts×1

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

Evidence: 2026-06-04/ncsc-switzerland-booking-com-breach-feeds-two-pronged-whatsa · ATT&CK page ↗

T1566.002Phishing: Spearphishing Link×1

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

Evidence: 2026-06-04/ncsc-switzerland-booking-com-breach-feeds-two-pronged-whatsa · ATT&CK page ↗

Persistence TA0003

T1078.004Valid Accounts: Cloud Accounts×1

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

Evidence: 2026-06-04/ncsc-switzerland-booking-com-breach-feeds-two-pronged-whatsa · ATT&CK page ↗

Privilege Escalation TA0004

T1078.004Valid Accounts: Cloud Accounts×1

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

Evidence: 2026-06-04/ncsc-switzerland-booking-com-breach-feeds-two-pronged-whatsa · ATT&CK page ↗

Stealth TA0005

T1078.004Valid Accounts: Cloud Accounts×1

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

Evidence: 2026-06-04/ncsc-switzerland-booking-com-breach-feeds-two-pronged-whatsa · ATT&CK page ↗

Story timeline

  1. 2026-06-04NCSC Switzerland: Booking.com breach feeds two-pronged WhatsApp hotel-booking phishing against Swiss travellers
    active-threats
  2. 2026-06-01Booking.com WhatsApp phishing + upstream hotel SaaS breach: real reservation data weaponised, 100+ properties affected, Dutch DPA opens investigation
    weekly-incidents-recap

Where this entity is cited

  • weekly-incidents-recap1
  • active-threats1

Source distribution

  • dutchnews.nl1 (50%)
  • ncsc.admin.ch1 (50%)

explore in graph

Entries about Booking.com-fed hotel phishing (CH) (2)

2026-06-04 · view entry permalink →

HIGH

NCSC Switzerland: Booking.com breach feeds two-pronged WhatsApp hotel-booking phishing against Swiss travellers

NCSC Switzerland's Week 22 report documents a surge in fraudulent WhatsApp messages abusing real booking data leaked in the April 2026 Booking.com compromise (dates, hotel names, guest names) (NCSC-CH, 2026-06-02). Variant 1 sends a fake refund lure on WhatsApp that redirects to pages spoofing TWINT and Swiss bank portals to harvest card data (T1566.002). Variant 2 is the more dangerous: attackers use compromised hotel booking-system credentials (T1078.004) to message guests through the legitimate booking channel, demanding urgent card re-verification — the message carries the trust of the real platform, defeating the usual "is this sender legitimate?" check. NCSC frames the targets as Swiss hotel-booking customers generally; for a federal SOC, staff who book travel through these platforms fall in the same exposed population (analyst inference). Why it matters to us: the account-takeover variant breaks user-awareness controls because the lure originates from a trusted booking system, not a spoofed sender — detection has to move to anomalous outbound messaging from booking-platform accounts and to card-data entry on TWINT/bank look-alike domains.

incident04 Jun 05:00Zsingle-source · national CERTOpen finding ↗

2026-06-01 · view entry permalink →

NOTABLE

Booking.com WhatsApp phishing + upstream hotel SaaS breach: real reservation data weaponised, 100+ properties affected, Dutch DPA opens investigation

NCSC-CH's Week 22 report (4 June; daily 2026-06-04) documents two phishing variants exploiting real booking data leaked in the April 2026 Booking.com compromise: Variant 1 — fake WhatsApp refund lure → TWINT/Swiss-bank-portal credential harvest; Variant 2 — attackers using compromised hotel booking-system credentials to message guests through the legitimate booking channel, demanding urgent card re-verification. Variant 2 breaks user-awareness controls because the message originates from a trusted platform (NCSC-CH). In the same window, a separate upstream booking/channel-management SaaS layer breach exposed guest reservation records (names, contacts, arrival/departure dates) for guests at more than 100 Dutch, Belgian and Irish hotels; criminals are already sending contextually accurate "confirm your reservation" phishing referencing real upcoming stays (DutchNews.nl). The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has opened a GDPR investigation; Art. 33/34 notification clocks are running for each hotel as an independent controller.

incident01 Jun 05:00Zmulti-sourceOpen finding ↗