Skip to main content

Recent Phishing Campaign Targeting Mews Customers

  • December 19, 2025
  • 3 replies
  • 696 views
roger.ribas
Mews Employee

Dear Customer,

We are would like to inform you of an ongoing phishing campaign targeting hospitality providers, including some Mews customers. We want to give you early visibility so you can take precautionary action and alert your internal teams.

This message includes answers to the most common questions we’ve received so far. If you experience anything not covered here, please contact the Mews Customer Support team via the Mews Digital Assistant (How to submit a support ticket in Mews Operations) or our critical phone line (Contact Mews | Get in touch with us).

For customers with dedicated technical or security teams, we have also included an optional appendix with indicators of compromise (IOCs) that can help you identify and block malicious activity within your own network.

Please be assured that the Mews Product Security team is actively monitoring and responding to this threat to protect the Mews platform, Mews customers and their guests.

 

FAQ

What is happening?

We have observed attackers cloning the legitimate Mews login portal and using Google Ads to redirect users to these fake login pages. Once users enter their credentials and MFA code, attackers take over accounts by:

  • Resetting user credentials or creating new accounts

  • Exporting future reservation data

  • Using that data in WhatsApp payment-fraud scams, pressuring guests to make urgent “reservation payments” via fraudulent links

  • Using Google Sites as an additional masking layer to make the pages appear legitimate

Google Sites wrapper combined with Google Ads.

Which URLs are part of the phishing campaign?

Our Third-party Brand Protection service provider continuously monitors and removes malicious domains. The fake portals look identical to the legitimate Mews login page—the URL is the only visible difference.

If you have a technical team, please review the list of known malicious URLs in the appendix. New URLs may appear, and we remove them as soon as they are detected.

Was Multi-Factor Authentication (MFA) enabled on compromised accounts?

Yes. All compromised accounts investigated so far were using authenticator-based MFA.
However, authenticator codes are not phish-proof—attackers can intercept them using this technique.

To protect your users, Mews strongly recommends switching to phish-resistant MFA, such as:

How is Mews detecting and responding to malicious activity?

The Mews Product Security team uses an advanced security stack and Security Information and Event Management (SIEM) solution with static and machine-learning driven security logic to identify suspicious behaviour across the platform.

Mews is also working closely with authorities and relevant internet service providers to disrupt this threat group.

Have other Mews customers been targeted?

Yes. This is part of a broader, coordinated attack against the hospitality sector. Customers using authenticator-based MFA are most susceptible.

What short-term actions can we take to reduce risk?

We strongly recommend the following:

 

Contact Mews Customer Support using the Mews digital Assistant if you need additional guidance implementing any of these measures.

Are there any other possible attack vectors I should watch for?

Some customers have reported receiving suspicious or malicious emails from unknown senders. At this time, there is no evidence that these emails have led to compromised Mews user accounts. However, if you notice any unusual activity in your Mews account, the Mews Platform Security team recommends also checking your email inbox for unexpected or suspicious messages.

If you find anything concerning, make sure to report it to the Mews Customer Support team for further investigation.

 

Appendix: Indicators of Compromise (IOCs)

(Optional for customers with technical/security teams)

Use these to block or monitor suspicious activity where possible. Report any relevant findings to Mews Customer Support.

URLs

  • hxxps://app[.]meeiws[.]cfd/Commander/Home/SignIn

  • hxxps://rnews[.]info/Commander/Home/SignIn

  • hxxps://app[.]meuws[.]cyou/Commander/Home/SignIn

  • hxxps://app[.]meewss[.]icu/Commander/Home/SignIn

  • hxxps://app[.]meevvs[.]icu/Commander/Home/SignIn

  • hxxp://app[.]meiws[.]rest/Commander/Home/SignIn

  • hxxp://rnews[.]info/Commander/Home/SignIn

  • hxxp://rnewss[.]info/Commander/Home/SignIn

IP Addresses (IPv4)

  • 178[.]32[.]202[.]97 [France, OVH SAS]

  • 93[.]214[.]221[.]11 [Germany, Deutsche Telekom AG]

  • 5[.]83[.]223[.]37 [United Kingdom, Scalaxy B.V.]

  • 148[.]252[.]145[.]217 [United Kingdom, Vodafone Limited]

  • 159[.]148[.]253[.]137 [Latvia, Scalaxy B.V.]

  • 213[.]139[.]228[.]211 [United Kingdom, Hivelocity LLC]

  • 45[.]139[.]30[.]173 [United Kingdom, Hivelocity LLC]

  • 217[.]25[.]1[.]198 [United Kingdom, Hivelocity LLC]

  • 148[.]252[.]140[.]114 [United Kingdom, Vodafone Limited]

  • 148[.]252[.]140[.]64 [United Kingdom, Vodafone Limited]

  • 62[.]6[.]55[.]170 [United Kingdom, British Telecommunications PLC]

  • 64[.]253[.]43[.]20 [United Kingdom, Next Connex Ltd]

  • 92[.]40[.]212[.]20 [United Kingdom, Three]

  • 92[.]40[.]212[.]17 [United Kingdom, Three]

  • 92[.]40[.]212[.]23 [United Kingdom, Three]

  • 92[.]40[.]212[.]18 [United Kingdom, Three]

  • 92[.]40[.]212[.]19 [United Kingdom, Three]

  • 195[.]25[.]33[.]245 [France, Orange]

IP Addresses (IPv6)

  • 2a01:348:70:6d67:fced:fc53:371a:9889 [United Kingdom, Syntura Group Limited]

  • 2406:4300:bae:5739:5ba2:51cc:950e:e480 [Hong Kong, Tele Asia Limited]

WhatsApp IOCs:

 

If you have further concerns or notice anything suspicious, please contact Mews Support team immediately using the Mews Digital Assistant.

Stay secure,

The Mews Team

Roger Ribas

    3 replies

    Georg Gaag
    Guru
    Forum|alt.badge.img+1
    • Georg Gaag
    • Guru
    • December 22, 2025

    Is Mews still charging extra for SSO or should Mews be on this wall? :) https://sso.tax/

    SSO in a business environment should be included in the most basic plan. I think that should be in Mews interest as well. 

    Let's connect: www.linkedin.com/in/georg-gaag
    terry.brown
    Mews Employee
    Forum|alt.badge.img
    • terry.brownMews Employee
    • Mews Employee
    • December 22, 2025

    Is Mews still charging extra for SSO or should Mews be on this wall? :) https://sso.tax/

    SSO in a business environment should be included in the most basic plan. I think that should be in Mews interest as well. 


    Hi Georg,

    You’ll be as happy as we are to know that we’ve just released SSO for all for free. We agree that although a commercial necessity as we grew, it was no longer sensible to continue to charge for it, so it’s now available to all of our customers who can leverage it for free.

     

    The data on SSO is compelling, doing the time we’ve seen phishing attacks, we have had zero customers impacted who are operating SSO (this is also true for passkeys and email 2FA for those that cannot leverage SSO).

     

     Authenticator 2FA (entering the 6 digit code) is something we no longer recommend as a default.

     

     Cheers,

     Terry

      Johannes Rott
      Superstar Guru
      Forum|alt.badge.img+1
      • Johannes Rott
      • Superstar Guru
      • December 23, 2025

      Is Mews still charging extra for SSO or should Mews be on this wall? :) https://sso.tax/

      SSO in a business environment should be included in the most basic plan. I think that should be in Mews interest as well. 

      just received the offical confirmation yesterday, that there will be no SSO fee anymore for 2026!

      Johannes Rott // IMLAUER Hotels
        Terms and ConditionsCookie settingsAccessibility statement