Phishing and Financial Fraud Campaigns Targeting Online Accounts and Payment Data
Threat researchers reported multiple financially motivated social-engineering operations designed to steal credentials and enable downstream fraud. Malwarebytes documented a job-themed phishing campaign impersonating Google Forms via the lookalike domain forms.google.ss-o[.]com, using a generation_form.php script to generate personalized lure URLs and redirecting victims through a fake form to a credential-harvesting login flow (e.g., id-v4[.]com). The infrastructure also used redirection to local Google search pages as an anti-analysis tactic to reduce link sharing and researcher visibility.
Separately, Bridewell-reported activity described a Booking.com-themed, multi-stage phishing and fraud scheme targeting both hotel partners and guests: initial “complaint”/reservation lures drive staff to attacker-controlled portals using lookalike domains (including IDN homograph tricks) to harvest partner credentials, followed by account takeover and guest-facing fraud (including WhatsApp outreach using real booking details). A third report described the broader rise of Carding-as-a-Service (CaaS) marketplaces (e.g., “fullz” bundling and platforms such as Findsome and UltimateShop) and the supply chain feeding them (PhaaS credential theft, skimming, and malware), but it did not describe the same specific phishing incidents and should be treated as related background rather than part of the same event.
Timeline
Feb 19, 2026
Second report confirms fake Google Forms credential-harvesting activity
A follow-up report reiterated that the job scam used fake Google Forms pages, per-victim tracking links, and the long-used id-v4[.]com phishing endpoint, which had been taken down by the time of reporting. It also highlighted a sample lure for a 'Customer Support Executive' role and recommended MFA, domain verification, and anti-malware protections.
Feb 18, 2026
Researchers disclose technical details of Booking.com fraud chain
On publication, reporting detailed the Booking.com-themed campaign's infrastructure and tactics, including look-alike domains, IDN homograph abuse, visitor fingerprinting, decoy sites, and Cloudflare CAPTCHA-protected payment pages. The disclosure also included mitigations such as enforcing MFA, monitoring anomalous sign-ins, and warning customers not to pay through chat-app links.
Feb 18, 2026
Job-themed fake Google Forms phishing campaign observed
Analysts observed a phishing campaign targeting job seekers with fake Google Forms pages delivered through email or LinkedIn messages. The operation used the lookalike domain forms.google.ss-o[.]com, personalized links generated by generation_form.php, and redirected victims to id-v4[.]com/generation.php to harvest Google credentials.
Jan 1, 2026
Booking.com phishing campaign begins targeting partners and guests
Bridewell researchers reported a renewed financially motivated phishing operation active since early January 2026 that impersonates Booking.com. The campaign targets accommodation partners first to steal credentials and then abuses compromised accounts and booking details to defraud guests for payment card data and money.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Phishing and fraud campaigns abusing trusted infrastructure and communications
Threat actors are increasingly improving phishing success rates by abusing *trusted* channels and infrastructure rather than relying on generic lures. One observed intrusion hijacked an active executive email thread via a compromised contractor account, allowing the attacker to reply inline with a link to a Microsoft 365 lookalike login flow; analysis of detonated samples indicated use of the **EvilProxy** adversary-in-the-middle phishkit, with layered anti-bot gating (e.g., Cloudflare Turnstile) and dynamic HTML/PDF content to capture credentials without exploiting software vulnerabilities. Separately, Rapid7 documented a cloud-abuse incident where attackers used **compromised AWS credentials** to stand up phishing/spam operations using **AWS WorkMail**, leveraging Amazon’s sender reputation and sidestepping typical **SES** anti-abuse controls while generating limited, service-native telemetry that can blend into normal administrative activity. A parallel, large-scale consumer fraud operation aligned with the **“PayTool”** ecosystem was reported targeting Canadian residents through SMS-driven lures (e.g., unpaid fines) that route victims through high-fidelity impersonations of the **Government of Canada**, **Air Canada**, and **Canada Post**, including province-selection workflows designed to mimic legitimate federal-to-provincial service handoffs before directing victims to localized scam domains. In contrast, LevelBlue SpiderLabs’ write-up is broader sector telemetry on education-targeted attacks (e.g., brute force `T1110`, credential dumping `T1003`, Kerberos ticket forgery `T1558`) and does not describe the same specific phishing/fraud campaigns, though it reinforces that credential theft remains a dominant initial access path across industries.
1 months ago
Phishing Campaigns Abuse Trusted Platforms and Collaboration Tools to Steal Credentials
Multiple reports describe a broader **credential-theft trend** in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used **compromised WordPress sites** and redirects through `skimresources[.]com` to deliver pixel-perfect fake login pages for **Microsoft Teams**, **Xfinity**, and **UAE Pass**, with lures such as missed voicemail and shared-document alerts. Another campaign abused **LiveChat**'s `lc[.]chat` infrastructure to impersonate brands like **PayPal** and **Amazon**, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues. A separate industry report reinforces the same operational pattern: attackers increasingly rely on **valid credentials** and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using **Microsoft Teams voice phishing** and **Quick Assist** to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the **CamelClone** espionage operation, a **FancyBear/APT28** infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is **not fluff** because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.
1 months ago
Large-Scale Online Scam Operations and Cross-Platform Fraud Tactics
Researchers and industry reporting highlighted a sharp rise in **online scam infrastructure**, including a network of more than **20,000 fake shopping sites** built to steal payment data and personal information, and phishing campaigns that use **LiveChat-style customer support impersonation** to extract credit card details, PII, and even MFA codes. The fake-shop ecosystem uses polished storefronts, shared infrastructure, and rapid rebranding to mimic legitimate retailers at industrial scale, while the LiveChat campaigns begin with deceptive emails and move victims into real-time conversations with fake support agents posing as brands such as *Amazon* and *PayPal*. Separately, **Google, Meta, Amazon, and other companies** announced a voluntary intelligence-sharing pact to combat online scams across social media, marketplaces, messaging, and payments platforms. That agreement is related to the broader rise in fraud, but it is not about the same specific scam operations described in the threat reports. The combined reporting shows that scam activity is increasingly coordinated, multi-platform, and enabled by reusable infrastructure and social engineering techniques that make fraudulent interactions appear legitimate to victims.
1 months ago