Executive Summary
On 1 June 2026, CIRCL identified a sophisticated phishing operation aimed at guests of hotels located in Luxembourg. The attackers exploit legitimate booking data to craft convincing messages that appear to come from the hotels themselves. Victims are lured into clicking malicious URLs or providing payment details through unofficial channels such as WhatsApp or SMS. The campaign’s primary goal is to divert funds to actor‑controlled accounts.
Observed Activity
Individuals who have confirmed reservations with hotels in Luxembourg reported receiving messages that:
- Contain accurate reservation identifiers, dates, and room types.
- Include a hyperlink that directs the user to a counterfeit payment portal.
- Request confirmation of payment details, updating card information, or completing a transaction.
- Are sent via WhatsApp, SMS, or other instant‑messaging services.
Initial investigations suggest that the data used in these messages originates from services operated by myLighthouse, a platform widely adopted in the hospitality sector. The exact breach point remains undetermined, with possibilities ranging from a software vulnerability to compromised hotel accounts or unauthorized data exfiltration.
Impact
The ramifications for affected parties include:
- Financial loss for guests who unintentionally transfer funds to malicious actors.
- Compromise of personal and payment information, increasing the risk of identity theft.
- Erosion of trust in hotel communication channels, potentially affecting future bookings.
- Additional workload for hotels, banks, and incident response teams to investigate and remediate incidents.
Recommendations for Hotels Using myLighthouse
Hotels must act swiftly to mitigate the threat. Prioritized actions include:
- Reset Credentials:
- Change passwords for all myLighthouse accounts immediately.
- Ensure passwords are unique and not shared across other systems.
- Enable Multi‑Factor Authentication (MFA):
- Activate MFA for every account that supports it.
- Verify that MFA enforcement is in place for all relevant users.
- Review Account Access:
- Audit active users and remove any that are no longer required.
- Check for unauthorized or unexpected accounts.
- Apply the principle of least privilege to all access rights.
- Communicate Payment Procedures:
- Publish clear guidelines on official payment methods.
- Warn guests that unsolicited payment requests via WhatsApp, SMS, or unofficial channels are suspicious.
- Provide a dedicated contact point for verification of payment requests.
- Monitor for Suspicious Activity:
- Encourage guests to report phishing attempts promptly.
- Review system logs for anomalous access patterns.
- Submit suspicious URLs and indicators to CIRCL for analysis.
Recommendations for Victims and Hotel Customers
If you receive a message pertaining to a hotel booking that asks you to click a link or submit payment information, follow these steps:
- Do Not Click Links: Avoid visiting URLs from unexpected messages.
- Verify Directly with the Hotel: Use contact details from the hotel’s official website or your original booking confirmation, not those in the suspect message.
- Report Interaction: If you entered payment details, contact your bank or card issuer immediately and request a transaction review or reversal.
- Preserve Evidence: Keep the message, sender information, URL, screenshots, and any payment details for potential investigation.
- File a Complaint: Report the incident to local consumer protection agencies or the hotel’s management.
Reporting Phishing URLs to CIRCL
CIRCL encourages users, hotels, and service providers to submit phishing URLs via Lookyloo. When submitting, mark the capture as “phishing” to aid analysis and facilitate takedown actions.
Indicators of Compromise
Indicators vary by hotel and communication channel. A comprehensive MISP event is available with collected indicators. Attacker tactics include rotating URLs and changing WhatsApp numbers to evade static blocking.
Conclusion
The campaign’s use of legitimate booking data significantly enhances its credibility, increasing the likelihood of successful fraud. Hotels utilizing myLighthouse must urgently implement credential resets, enforce MFA, audit access rights, and communicate transparent payment processes. Guests should remain vigilant, verify requests directly with hotels, and report suspicious activity promptly. CIRCL continues to gather reports and supports mitigation through Lookyloo submissions.

