In recent years, Booking.com, a popular online travel agency, has been the target of several phishing scams. These scams have resulted in significant financial losses for Booking.com, hoteliers and its customers. In recent months, these types of scams have been on the rise again, with
How the Attacks Work
In a typical Booking.com phishing scam, attackers will first gain access to the computer systems of a hotel or BnB. They do this by socially engineering staff into opening a file containing malware; you can see the tactic used in the example emails below. In a recent incident reported in Edinburgh, the threat actors advised the hotel their child had particular dietary/allergy requirements. They stated it was easier to email over the list of their requirements and sent over a file containing the malware, which was opened.
They will then use this access to steal customer data, such as names, email addresses, and credit card numbers.
Perception Point, who have reported on this, has identified 10 Steps the hackers take throughout this scam, which are listed below.
- Initial Booking: The hacker makes an online booking, opting for free cancellation to minimise risk.
- Confirmation Email: An automated confirmation email is sent to the hacker.
- Crafting the Reply: The hacker uses this email to reply with a specific request or question about the reservation.
- Adding the Lure: A link to a file-sharing service and a plaintext password are attached to the email.
- Targeting the Victim: The email is sent to the online booking service’s support or the hotel.
- Clicking the Bait: The support representative opens the email and downloads the archive using the provided link.
- Decrypting the Archive: The downloaded archive is encrypted but easily decrypted using the provided password.
- The Deceptive File: Upon decryption, an executable file with a misleading name and a PDF icon is extracted.
- Triggering the Trap: The representative double-clicks the executable, unknowingly launching the malicious code.
- Data Exfiltration: The endpoint becomes infected, and sensitive information is transmitted to the hacker.
With this stolen data, attackers will send phishing emails to Booking.com customers. These emails will often appear to be from Booking.com itself and often contain urgent requests or enticing offers. For example, recent emails have advised customers they are required to carry out additional card confirmations or that the booking could be cancelled if they didn’t verify their payment method.
The phishing emails will typically contain links to fake Booking.com websites. When a customer clicks on one of these links, they will be taken to a website that looks similar to the actual Booking.com website. However, the fake website is controlled by the attackers.
Fake Booking.com example – customers are completing these, unaware of the scam
Once a customer enters their personal information on the fake website, the attackers will steal it. They can then use this information to make unauthorised purchases or to commit further crimes, including identity theft.
Impact of the Attacks
The Booking.com phishing scams have significantly impacted Booking.com, its customers and the associated hotels and bed and breakfast owners who use booking.com to generate business. Booking.com has damaged its reputation and has had to spend money to investigate and remediate the attacks. Customers have suffered financial losses and had their personal information stolen, and hotels report that directly from these crimes. Customers have been cancelling bookings and events as they do not know if they will be reimbursed. Hotels have also had to go through the process of purchasing new computer equipment or hiring specialist cyber security specialists to ensure their systems are free from malware.
How to Protect Yourself
There are several things that you can do to protect yourself from Booking.com phishing scams:
- Be wary of any emails that you receive from Booking.com, especially if they contain urgent requests or enticing offers.
- Do not click on any links in emails from Booking.com, unless you are sure the email is legitimate.
- If you are unsure about the legitimacy of an email from Booking.com, you can contact Booking.com customer service directly.
- Never enter your personal information on a website that you are not sure is legitimate.
- Use a strong password for your Booking.com account and enable two-factor authentication. Don’t re-use this password across other website. One password – One site.
- Hoteliers and Bed and Breakfast owners should provide staff training, making them aware of the threat actors’ techniques.
Booking.com phishing scams are a severe threat to Booking.com, hoteliers and its customers. However, following the tips above, you can protect yourself from these scams.