What is Happening!
We are currently monitoring an active phishing campaign targeting the hospitality industry, hotel staff, booking systems, and payment workflows. Threat actors are impersonating trusted hospitality and booking-related services in an attempt to steal credentials, payment information, guest details, and operational access. Employees and hotel staff should remain alert to suspicious booking requests, payment verification messages, login prompts, and impersonation attempts across email, WhatsApp, SMS, and other communication channels.
Scammers are sending WhatsApp messages to our guests that may appear to be from your property or a booking platform, for example:
- Booking confirmation
- Reservation
- Cancel booking
These messages often include urgent verification links or payment requests. Guests should treat any unexpected WhatsApp booking message as suspicious unless it comes through your official, verified channels.
References
- Hornetsecurity — How the Booking Phishing Campaign Works and What Defenders Should Watch For
- Cyber Security News — Hackers Hijack Hotel Booking Workflows to Scam Guests With Fake Payment Requests
What we are doing
We are sharing this advisory to ensure all teams have full visibility into the ongoing phishing activity and to help organizations take immediate preventive actions. Our Security Team is actively monitoring, investigating, and responding to this threat campaign — tracking malicious infrastructure, phishing domains, attacker activity, and related indicators of compromise to protect our platform, customers, partners, and guests.
Recognize common phishing indicators
We strongly recommend increasing internal awareness and training staff to recognize:
- Suspicious or lookalike domains (e.g. fake
hotel-stay*orhotel-status*booking sites) - Urgent payment or account verification requests
- Unexpected MFA/OTP approval prompts
- Fake booking or guest communication messages
Guest awareness – How to recognize and avoid booking phishing attacks
Guests should remain cautious of fraudulent booking, payment, or verification messages that may impersonate hotels, booking platforms, or customer support teams.
- Random or unsolicited booking messages sent on WhatsApp — fake confirmations, stay alerts, or reservation details impersonating hotels or booking platforms
- Urgent payment or booking verification requests
- Messages asking for card details, OTPs, or passwords
- Unofficial payment links or shortened URLs
- Websites with unusual or lookalike domain names (e.g. fake
hotel-stay*orhotel-status*booking sites) - Unexpected requests to re-confirm bookings or payments
- Don't attend any unofficial calls or emails
- Do not click on suspicious links or attachments
Please advise guests that official payments and account verification should only be completed through trusted and verified channels — not via random WhatsApp booking messages or unknown links.
Please use our trusted website
Before signing in or entering credentials, verify the website using the checks below.
| # | Check | What to verify |
|---|---|---|
| 1 | Official site | Use only https://live.ipms247.com/login/ |
| 2 | Website is secure | Confirm the browser shows a secure connection (padlock icon) and a valid security certificate. |
| 3 | HTTPS is used | The URL must begin with https:// — not http://. |
Important: If a website does not match all checks above — especially the official URL and HTTPS — do not use that website. It may be a phishing or impersonation site.
How is Yanolja Cloud Solution (YCS) detecting and responding to malicious activity?
- Login risk analysis Detect suspicious authentication attempts based on geographic anomalies, unusual login behavior, IP reputation, and unfamiliar devices.
- Behavioral monitoring Identify potentially compromised accounts and automatically respond to suspicious session activity.
- Threat and fraud detection Identify and block malicious links, phishing domains, and suspicious communications.
- Domain protection controls Monitor and block known malicious or impersonation domains.
- Continuous monitoring Watch for fraudulent websites, fake login pages, and brand impersonation attempts targeting hospitality providers and guests.
- Security investigation and rapid response Analyze indicators of compromise (IOCs), suspicious activity, and emerging phishing infrastructure.
Previously reported phishing domains (IPMS247 impersonation)
Older phishing domains that mimic our official login. Use only
live.ipms247.com
— not .online or .site.
- live.ipms247.online
- live.ipms247.site
Indicators of compromise (IoCs)
Known fake and impersonation domains linked to this and prior phishing activity. Do not open links on these sites.
Fake hotel booking domains (current campaign)
- hotel-stay133180.com
- hotel-stays019311.com
- hotel-stay5013012.com
- hotel-stay021012.com
- hotel-stays341419.com
- hotel-stay0113012.com
- hotel-stay12311.com
- hotel-stay05012.com
- hotel-stay032012.com
- hotel-stay11311.com
- hotel-stay91351.com
- stay-room24210.com
- stay-hotel0911.com
If you notice any suspicious activity
If you receive suspicious emails, WhatsApp messages, payment requests, login prompts, or any communication that appears unusual or impersonates hospitality or booking-related services:
Do not open any phishing link.
If you have already opened a suspicious or phishing link, delete your browsing history together with cookies and cache for the last 7 days.
- Do not click on suspicious links or attachments
- Do not share passwords, OTPs, MFA codes, or payment details
- Verify the sender, domain, and website carefully before taking action
- Capture screenshots or preserve the suspicious message if possible
- Immediately report the activity to our Security Team at:
cx@yanoljacloudsolution.com
Use subject line: Security Report – Suspicious Phishing / Booking Activity