Phishing and Financial Fraud Campaigns Targeting Online Accounts and Payment Data
Threat researchers reported multiple financially motivated social-engineering operations designed to steal credentials and enable downstream fraud. Malwarebytes documented a job-themed phishing campaign impersonating Google Forms via the lookalike domain forms.google.ss-o[.]com, using a generation_form.php script to generate personalized lure URLs and redirecting victims through a fake form to a credential-harvesting login flow (e.g., id-v4[.]com). The infrastructure also used redirection to local Google search pages as an anti-analysis tactic to reduce link sharing and researcher visibility.
Separately, Bridewell-reported activity described a Booking.com-themed, multi-stage phishing and fraud scheme targeting both hotel partners and guests: initial “complaint”/reservation lures drive staff to attacker-controlled portals using lookalike domains (including IDN homograph tricks) to harvest partner credentials, followed by account takeover and guest-facing fraud (including WhatsApp outreach using real booking details). A third report described the broader rise of Carding-as-a-Service (CaaS) marketplaces (e.g., “fullz” bundling and platforms such as Findsome and UltimateShop) and the supply chain feeding them (PhaaS credential theft, skimming, and malware), but it did not describe the same specific phishing incidents and should be treated as related background rather than part of the same event.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Second report confirms fake Google Forms credential-harvesting activity
A follow-up report reiterated that the job scam used fake Google Forms pages, per-victim tracking links, and the long-used id-v4[.]com phishing endpoint, which had been taken down by the time of reporting. It also highlighted a sample lure for a 'Customer Support Executive' role and recommended MFA, domain verification, and anti-malware protections.
Researchers disclose technical details of Booking.com fraud chain
On publication, reporting detailed the Booking.com-themed campaign's infrastructure and tactics, including look-alike domains, IDN homograph abuse, visitor fingerprinting, decoy sites, and Cloudflare CAPTCHA-protected payment pages. The disclosure also included mitigations such as enforcing MFA, monitoring anomalous sign-ins, and warning customers not to pay through chat-app links.
Job-themed fake Google Forms phishing campaign observed
Analysts observed a phishing campaign targeting job seekers with fake Google Forms pages delivered through email or LinkedIn messages. The operation used the lookalike domain forms.google.ss-o[.]com, personalized links generated by generation_form.php, and redirected victims to id-v4[.]com/generation.php to harvest Google credentials.
Booking.com phishing campaign begins targeting partners and guests
Bridewell researchers reported a renewed financially motivated phishing operation active since early January 2026 that impersonates Booking.com. The campaign targets accommodation partners first to steal credentials and then abuses compromised accounts and booking details to defraud guests for payment card data and money.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Threat Actors Using Fake Google Forms Site to Harvest Google Logins
cybersecuritynews.com
Open sourceJob scam uses fake Google Forms site to harvest Google logins | Malwarebytes
malwarebytes.com
Open sourceNew Phishing Campaign Targets Booking.com Partners and Customers in Multi-Stage Financial Fraud Scheme
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and fraud campaigns abusing trusted infrastructure and communications
Threat actors are increasingly improving phishing success rates by abusing *trusted* channels and infrastructure rather than relying on generic lures. One observed intrusion hijacked an active executive email thread via a compromised contractor account, allowing the attacker to reply inline with a link to a Microsoft 365 lookalike login flow; analysis of detonated samples indicated use of the **EvilProxy** adversary-in-the-middle phishkit, with layered anti-bot gating (e.g., Cloudflare Turnstile) and dynamic HTML/PDF content to capture credentials without exploiting software vulnerabilities. Separately, Rapid7 documented a cloud-abuse incident where attackers used **compromised AWS credentials** to stand up phishing/spam operations using **AWS WorkMail**, leveraging Amazon’s sender reputation and sidestepping typical **SES** anti-abuse controls while generating limited, service-native telemetry that can blend into normal administrative activity. A parallel, large-scale consumer fraud operation aligned with the **“PayTool”** ecosystem was reported targeting Canadian residents through SMS-driven lures (e.g., unpaid fines) that route victims through high-fidelity impersonations of the **Government of Canada**, **Air Canada**, and **Canada Post**, including province-selection workflows designed to mimic legitimate federal-to-provincial service handoffs before directing victims to localized scam domains. In contrast, LevelBlue SpiderLabs’ write-up is broader sector telemetry on education-targeted attacks (e.g., brute force `T1110`, credential dumping `T1003`, Kerberos ticket forgery `T1558`) and does not describe the same specific phishing/fraud campaigns, though it reinforces that credential theft remains a dominant initial access path across industries.
Mar 21, 2026
Phishing Campaigns Abuse Trusted Platforms and Collaboration Tools to Steal Credentials
Multiple reports describe a broader **credential-theft trend** in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used **compromised WordPress sites** and redirects through `skimresources[.]com` to deliver pixel-perfect fake login pages for **Microsoft Teams**, **Xfinity**, and **UAE Pass**, with lures such as missed voicemail and shared-document alerts. Another campaign abused **LiveChat**'s `lc[.]chat` infrastructure to impersonate brands like **PayPal** and **Amazon**, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues. A separate industry report reinforces the same operational pattern: attackers increasingly rely on **valid credentials** and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using **Microsoft Teams voice phishing** and **Quick Assist** to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the **CamelClone** espionage operation, a **FancyBear/APT28** infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is **not fluff** because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.
Mar 21, 2026
Large-Scale Online Scam Operations and Cross-Platform Fraud Tactics
Researchers and industry reporting highlighted a sharp rise in **online scam infrastructure**, including a network of more than **20,000 fake shopping sites** built to steal payment data and personal information, and phishing campaigns that use **LiveChat-style customer support impersonation** to extract credit card details, PII, and even MFA codes. The fake-shop ecosystem uses polished storefronts, shared infrastructure, and rapid rebranding to mimic legitimate retailers at industrial scale, while the LiveChat campaigns begin with deceptive emails and move victims into real-time conversations with fake support agents posing as brands such as *Amazon* and *PayPal*. Separately, **Google, Meta, Amazon, and other companies** announced a voluntary intelligence-sharing pact to combat online scams across social media, marketplaces, messaging, and payments platforms. That agreement is related to the broader rise in fraud, but it is not about the same specific scam operations described in the threat reports. The combined reporting shows that scam activity is increasingly coordinated, multi-platform, and enabled by reusable infrastructure and social engineering techniques that make fraudulent interactions appear legitimate to victims.
Mar 21, 2026