Security Advisory: Phishing Campaign Targeting Hospitality Providers

Overview

Cloudbeds is currently tracking an ongoing phishing campaign impacting hospitality businesses across the industry. While these attacks have been reported across multiple hotel technology providers, some Cloudbeds customers may be among those targeted. 

We are providing this information to ensure you have full visibility and can take immediate precautionary steps, including training your staff on specific red flags to watch for. The Cloudbeds Security team is actively monitoring and responding to this threat to protect our platform, our customers, and their guests.

This article includes: 

• Answers to common questions regarding the campaign and its impact. 
• An Appendix of Indicators of Compromise (IOCs) for dedicated technical or security teams to help identify and block malicious activity within your network.

FAQ

What is happening and why does it matter?

We have observed attackers creating fraudulent login pages that closely mimic the legitimate Cloudbeds sign-in portal. These fake pages are promoted through Google Ads and other channels to trick hotel staff into entering their credentials. Once a user enters their password and Multi-Factor Authentication code on a fake page, attackers use the captured credentials to:

1. Sign in to the Cloudbeds account using the stolen credentials
2. Access and export reservation data, including guest names, contact details, and booking information
3. Send phishing messages to guests using Cloudbeds Guest Experience messaging or standard email tools, making the messages appear legitimate
4. Contact guests directly via WhatsApp or email with fraudulent payment requests, often creating urgency around “outstanding” or “confirmed” reservation payments and directing guests to malicious links designed to steal their payment information.

Which URLs are part of the phishing campaign?

The malicious URLs used in this campaign can vary and change frequently. The fake login pages are designed to look nearly identical to the legitimate Cloudbeds sign-in page, with the URL often being the only visible difference.

Our brand protection partner continuously monitors for and works to remove these domains as they are identified. For customers with technical teams, a list of known malicious URLs is included in the appendix, though new URLs may appear over time.

As a precaution, we recommend bookmarking the official Cloudbeds login page (signin.cloudbeds.com) and encouraging staff to always access Cloudbeds using that saved link, rather than through ads, search results, or links in emails or messages.

Was Multi-Factor Authentication (MFA) enabled on compromised accounts?

Yes. All compromised accounts investigated so far were using authenticator-based MFA (time-based one-time codes). However, authenticator codes are not phish-proof. Attackers intercept them in real time as users enter them on the fraudulent login page, then immediately replay them to access the legitimate account.

To protect your users, we strongly recommend switching to phish-resistant MFA methods:

1. Passkeys / Security Keys — Hardware or device-based authentication that cannot be phished.
2. Okta Verify with Push Notifications — Device-bound verification that provides stronger protection against real-time credential interception.

How is Cloudbeds detecting and responding to malicious activity?

Protecting your business and your guests is a shared priority, and our Security team is actively monitoring and responding to this threat. We use multiple layers of detection and protection designed to identify suspicious activity early and limit potential impact:

1. Login risk analysis including geographic anomaly detection, travel velocity checks, new device identification, and IP reputation scoring to identify and block suspicious authentication attempts
2. Behavioral monitoring that automatically terminates sessions exhibiting patterns consistent with account abuse
3. Integrated fraud detection that blocks emails and messages containing suspicious URLs
4. Domain controls including global blacklists for known malicious domains and per-account whitelists so you can control which domains are permitted in guest communications
5. Continuous brand protection to identify and take down fraudulent login pages and impersonation domains

We are also working with authorities and relevant service providers to disrupt this threat group.

Have other Cloudbeds customers been targeted?

Yes. This is part of a broader, coordinated attack campaign targeting the hospitality sector globally. Customers using authenticator-based MFA (one-time codes) are most susceptible.

What short-term actions can we take to reduce risk?

We strongly recommend the following:

1. Adopt phish-resistant MFA — Switch users to passkeys or Okta Verify. Authenticator apps using time-based codes are vulnerable to real-time phishing.
2. Bookmark the correct login URL — Always use https://signin.cloudbeds.com and avoid using search engines to navigate to the login page. Attackers are using paid search ads to place fraudulent links above legitimate results.
3. Audit user accounts — Remove unnecessary user accounts and reduce privileges, especially export and PII access, to only those who require it.
4. Review export permissions — In user role settings, remove access to “Reservation - export reservation list” and PII extraction for any role that does not require it.
5. Configure your domain whitelist — Contact Cloudbeds Support to configure your approved Guest Experience domain whitelist to limit which URLs can be included in guest communications from your account.
6. Train your staff — Ensure all users know to verify they are on https://signin.cloudbeds.com before entering credentials, and to never log in through links received via email or search engine ads.

Are there any other attacks I should watch for?

Some customers have reported receiving suspicious or malicious emails from unknown senders attempting to impersonate Cloudbeds or other hospitality platforms. If you notice any unusual activity in your Cloudbeds account, we recommend also checking your email inbox for unexpected or suspicious messages.

If you receive any phishing emails, forward them to support@cloudbeds.com with the subject line “Phishing” so our team can review and take down malicious domains.

Guests may also receive fraudulent messages via WhatsApp or other channels from scammers impersonating your property. Consider proactively advising guests that your property will never request payment verification, card details, or urgent payments via WhatsApp or external links.

If you find anything concerning, report it to Cloudbeds Support (support@cloudbeds.com) immediately.

Appendix: Indicators of Compromise (IOCs)

(Optional — for customers with technical or security teams)

Use these to block or monitor suspicious activity where possible. Report any relevant findings to Cloudbeds Support.

Known Phishing Email Addresses

The following email addresses have been identified as sources of phishing emails targeting Cloudbeds customers and their guests:

1. contato@10138743.brevosend.com
2. support@kokazia.freshdesk.com
3. amatolucia@outlook.com

Phishing URLs / Malicious Domains

Known malicious domains used in phishing campaigns targeting Cloudbeds customers. New URLs appear frequently; this list is current as of February 5, 2026:

1. kokazia[.]freshdesk[.]com
2. 10138743[.]brevosend[.]com
3. terralsuites[.]com[.]ar

Known Malicious IP Addresses

The following IP addresses have been confirmed as attacker infrastructure used in account compromise incidents:

1. 92.243.64.222
2. 51.195.242.229

WhatsApp Scam Indicators

Guests may receive WhatsApp messages from unknown numbers impersonating your property and requesting urgent payment. Common characteristics include:

1. Requests to “confirm your reservation” via an external payment link
2. Pressure to act immediately or risk cancellation
3. Links to domains that do not belong to your property or Cloudbeds

Known Fraudulent Domains Used in Guest Scams

The following domains have been used in fraudulent communications targeting guests:

1. hxxp://cloudbeds-property-manager-signon.bolt.host
2. hxxp://cloudbeds-online.com
3. hxxp://ddk.joinposter.com
4. hxxp://cloudbeds-property-manager-signon.bolt.host
5. hxxp://corona-doner.joinposter.com
6. hxxp://signin.clauldbeds.com
7. hxxp://cloud-beds.app/
8. hxxp://cloudbeds-app.com/