Date: 14 November 2025
Classification: For Situational Awareness
Source: Open-Source Intelligence (OSINT) aggregation
1. Large-Scale Fake Hotel Booking Operation Targets Travelers Worldwide
Summary:
A Russian-speaking cybercriminal group has built and operated a network of over 4,000 fake hotel and travel websites designed to steal payment card data and personal details. The fraudulent sites mimic legitimate hotel brands, using cloned logos and booking confirmation pages that appear authentic. Victims are typically lured via phishing emails referencing real or plausible reservations, urging them to “confirm” or “update” their booking. Stolen data includes full card numbers, CVV codes, and traveler identities. The operation has been active for much of 2025, suggesting an established monetization pipeline through underground markets.
Assessment:
This campaign targets both individual travelers and corporate employees booking business travel, presenting risks to corporate card programs and travel reimbursement systems. The scale and professionalism of the cloned domains indicate an organized actor with prior experience in hospitality fraud schemes. Indicators of compromise (IOCs) include newly registered domains imitating known hotel chains and phishing lures referencing recent bookings.
Recommendations:
- Restrict corporate networks to a verified allowlist of hotel and booking domains.
- Deploy automated domain monitoring for look-alike URLs targeting partner brands.
- Coordinate with financial institutions to track spikes in travel-related chargebacks.
- Advise employees never to update booking details through emailed links.
2. AI Sector Exposure: Widespread Credential Leaks on GitHub
Summary:
A report by cloud security firm Wiz revealed that roughly two-thirds of the companies on the Forbes AI 50 list have exposed sensitive credentials on GitHub, including API keys, tokens, and access secrets for proprietary AI models and data stores. The leaks often originated from developer forks, personal repositories, and abandoned gists, many of which were overlooked by corporate security reviews. Several exposed keys granted access to internal AI training environments and private model architectures. Notably, around half of the affected firms lacked clear disclosure procedures or delayed remediation after notification.
Assessment:
The findings illustrate a persistent weakness in developer operational security (DevSecOps) and highlight that AI research pipelines are a prime source of supply-chain risk. The exposure of model weights or training data could enable model theft, adversarial research, or competitive intelligence breaches. The problem is compounded by legacy forks and personal GitHub accounts, which often fall outside of enterprise scanning tools.
Recommendations:
- Mandate automated secret-scanning across all GitHub organizations and personal accounts linked to company projects.
- Revoke exposed credentials immediately, prioritizing API keys tied to sensitive datasets or compute clusters.
- Implement continuous monitoring for new secret alerts in historical commits.
- Treat developer repositories as critical infrastructure, requiring the same security posture as production systems.
Analyst Comment:
Both incidents underscore a growing convergence between social engineering and supply-chain vulnerabilities. One exploits end-user trust in brand familiarity; the other exposes systemic weaknesses in technical hygiene. Together, they demonstrate how credential exposure and fraudulent domain infrastructure remain two of the most effective tools for cyber exploitation in 2025.–
You received this message because you are subscribed to the Google Groups “RightToKnow – Intelligence Daily” group.
To unsubscribe from this group and stop receiving emails from it, send an email to Righttoknow+unsubscribe@valsm.com.