Booking.com Customers Fall Victim to Hotel Booking Scam

Fraudsters are targeting Booking.com customers by hijacking accounts via hotels and using user details to trick guests into sharing their payment card information. 

Secureworks, a U.S.-based cybersecurity firm, investigated an attack in October and stated, “Customers of multiple properties received email or in-app messages from Booking.com that purported to be from hotel owners requesting confirmation of payment details for upcoming stays. The threat actors directed the victims to malicious URLs for inputting the information, and then used the details to withdraw money from the victims’ accounts.”

According to Secureworks, the emails have been strategically disguised in stages to look legitimate. The first email would set the scene for the request but with no links or attachments to set off security alerts, and the second one contained the URL to the documents hosted on legitimate services such as Google Drive and Dropbox.

When recipients downloaded the malicious ZIP files containing the Vidar infostealer, this then allowed the perpetrators to obtain the credentials for the hotel’s Booking.com account and access the Booking.com management portal with upcoming bookings. They then directly sent emails to booked guests.

“The day after the malware was executed, a hotel employee observed that multiple messages had been sent to upcoming guests from the hotel’s Booking.com account. Several hours later, hotel customers started to complain that money had been taken from their accounts,” a Secureworks researcher said.

According to the BBC, “Booking.com users have spoken of their anger at the company’s failure to stop them falling victim to cyber-criminals.”

Booking.com explained that it plans to implement new safety features but also said there was “no silver bullet.”

Fraudulent behavior like this has been taking place for over a year, but recently it appears to have increased in intensity with hackers taking to the dark web to seek more victims, as reported by the BBC.

To protect themselves, Secureworks advises that organizations in the hospitality and travel industry should implement multi-factor authentication on their Booking.com accounts, educate employees about these social engineering campaigns, and double-check URLs before opening them.

They also said that individual customers should be cautious of emails or app messages requesting payment details, as they may not be legitimate. They should be suspicious of such messages even if they come through legitimate channels (i.e., from legitimate Booking.com accounts).

According to Sky News, Booking.com said, “If a property or host appears to be asking for payment outside what’s listed on their confirmation, they should reach out to our customer service team for support. Also, it’s good to remember that no legitimate transaction will ever require a customer to provide their credit card details by phone, email, or text message (including WhatsApp).”