← Back to Projects

Booking Rental Scam: Phishing & OSINT Takedown (Real Case)

2025-09-18
Investigation & Reporting
Prevented financial loss
PhishingOSINTIncident ResponseFraudWeb Security

Disclaimer: Sensitive identifiers have been redacted. This content is published strictly for educational and professional purposes.

Rental Scam Investigation Overview - Booking Phishing Case Study
Click to enlarge

Figure 1: Rental Scam Investigation Overview

Executive Summary

In September 2025, a sophisticated rental scam targeting expatriates in Luxembourg was identified and investigated through OSINT techniques. The threat actor impersonated legitimate property owners on Facebook, directing victims to a phishing website that cloned Booking.com's interface. Through systematic domain analysis, infrastructure investigation, and behavioral analysis, the attack vector was mapped and reported to INCIBE and local law enforcement. This case study documents the investigation methodology, technical findings, and lessons learned from preventing potential financial losses.

Context & Threat Model

Rental Scam via Facebook

The threat actor leveraged Facebook groups dedicated to housing in Luxembourg, posting attractive rental listings with below-market prices. These posts targeted expatriates and international workers seeking accommodation, exploiting their urgency and potential lack of local knowledge.

Identity Impersonation

The scammer created Facebook profiles impersonating legitimate property owners, using stolen or fabricated photos and minimal profile information. These profiles appeared authentic at first glance but lacked the depth and history of genuine accounts.

Booking.com Brand Abuse

To add credibility, the threat actor directed victims to a phishing website that closely mimicked Booking.com's interface. This brand abuse exploited trust in a well-known platform, making the scam appear legitimate to unsuspecting victims.

Incident Timeline

  • Sep 10Initial Facebook post detected in Luxembourg housing group
  • Sep 11Red flags identified: suspicious profile, disabled comments, random Gmail address
  • Sep 12Broken Booking.com link analyzed; secondary email pivot discovered
  • Sep 13Domain analysis: e-ffiliate[.]express identified; WHOIS and infrastructure investigation
  • Sep 14Phishing website behavior documented; payment phase analysis completed
  • Sep 15Post-24h behavior observed: attempted executable download; report submitted to INCIBE

Early Red Flags

Suspicious Facebook Profile

Profile contained minimal information, recent creation date, and lacked mutual connections or activity history typical of legitimate property owners.

Comments Disabled

The threat actor disabled comments on posts to prevent public warnings and questions from other group members who might recognize the scam.

Random Gmail Address

Contact email used a generic Gmail account with random characters, inconsistent with professional property management practices.

Refusal to Provide Phone Number

When requested, the threat actor refused to provide a phone number or schedule a property viewing, insisting on online-only communication and payment.

Technical Analysis

Broken Booking.com Link as Trigger

The initial link provided appeared to be a Booking.com URL but was malformed or broken. This served as a pretext to redirect victims to a secondary communication channel, where the threat actor could provide the "correct" link to the phishing website.

booking[.]com/invalid-link-redirect

Secondary Email Pivot

When the initial link failed, the threat actor provided a secondary email address and directed victims to contact them directly. This email was used to send the phishing link, bypassing Facebook's link scanning mechanisms.

Domain Analysis: e-ffiliate[.]express

The phishing domain e-ffiliate[.]express was identified through email analysis. Key findings:

  • Domain registered less than 30 days before the incident
  • No historical reputation or legitimate use
  • Typo-squatting pattern attempting to mimic legitimate affiliate domains
  • Cloudflare CDN usage to obfuscate origin infrastructure

WHOIS / Infrastructure Indicators

WHOIS data revealed:

  • Privacy-protected registration (common for malicious domains)
  • Recent creation date indicating opportunistic registration
  • Cloudflare nameservers used for anonymity and DDoS protection
  • No associated SSL certificate history or legitimate services

Phishing Website Behavior

Analysis of the phishing website revealed:

  • Static clone of Booking.com interface with minor modifications
  • Broken navigation links (non-functional menu items)
  • No actual booking functionality—form submissions redirected to payment collection
  • SSL certificate issued by free CA, inconsistent with Booking.com's infrastructure

Payment Phase Analysis

The payment collection mechanism followed a classic mule account pattern:

  • Victims instructed to transfer funds via bank transfer (not credit card)
  • IBAN provided belonged to a mule account (last 4 digits: XXXX)
  • Urgency tactics: "Limited availability", "Multiple interested parties"
  • No receipt or booking confirmation provided after payment

Post-24h Behavior

After 24 hours, the phishing website attempted to download an executable file to the victim's device. This indicates potential malware distribution as a secondary attack vector, likely for credential theft or remote access.

Mitigations & Lessons Learned

Practical Checklist

  • Verify property ownership through official registries or property management companies
  • Request in-person property viewing before any payment
  • Verify domain authenticity—check for typos, recent registration dates, and SSL certificate details
  • Be suspicious of below-market prices and urgency tactics
  • Never transfer funds via bank transfer for rental deposits without verified contracts
  • Check social media profiles for authenticity: mutual connections, posting history, profile completeness

Reporting & Escalation

The incident was reported to:

  • INCIBE (Instituto Nacional de Ciberseguridad): Phishing domain and infrastructure details
  • Local Law Enforcement: Fraud report with evidence documentation
  • Facebook Security: Impersonation and scam account reporting
  • Cloudflare Abuse: Malicious domain hosting notification

Evidence Gallery

Figure 2: Facebook Rental Post - Suspicious Profile & Apartment Listing
Click to enlarge

Figure 2: Facebook Rental Post - Suspicious Profile & Apartment Listing

Figure 3: Phishing Email - Broken Booking.com Link Redirect
Click to enlarge

Figure 3: Phishing Email - Broken Booking.com Link Redirect

Figure 4: Phishing Website Infrastructure - Cloudflare CDN & Network Status
Click to enlarge

Figure 4: Phishing Website Infrastructure - Cloudflare CDN & Network Status

Figure 5: Domain Analysis - e-ffiliate.express WHOIS & Threat Intelligence
Click to enlarge

Figure 5: Domain Analysis - e-ffiliate.express WHOIS & Threat Intelligence

Figure 6: Payment Collection Form - Bank Transfer Details (IBAN/SWIFT)
Click to enlarge

Figure 6: Payment Collection Form - Bank Transfer Details (IBAN/SWIFT)

← Back to Projects