Booking.com clients prone to cyber fraud, warns analyst


One of the world’s largest online travel agencies says its customers are being increasingly targeted by scammers, according to a cybersecurity firm.

Though Booking.com claims its systems are safe, it has been flooded with complaints from customers who have fallen foul of third-party cyberattacks, says Panda Security.

The disclosure was made on December 1st by the WatchGuard-owned cybersecurity company, which believes Booking.com’s woes stem from third-party attacks that have been growing apace over the past six months.

“Even though the systems and networks of the agency itself are not compromised, many customers have been scammed by online criminals targeting the website’s partner hotels,” said Panda.

It added: “The bad actors have found a way to steal login credentials [that] they use to approach customers [while] pretending to be hotel staff.”

Playing both sides

Crooks typically target hotels by first calling up reception and pretending to be a guest who has lost a valuable item, said Panda.

“The criminal on the phone then follows up with the hotel receptionist by sending an email with a link to a file stored on Google Drive,” it added.

But instead of containing a picture of the ‘lost item’ as the fraudsters claim, the file contains Vidar infostealer malware that filches Booking.com login data from the hotel’s system.

From there, it’s a short trip to logging into Booking.com using the stolen credentials, allowing the scammers to approach real guests, this time pretending to be staff, and asking them to pay bogus fees.

“Instead of sending the victims to Booking.com or an actual hotel website to process the payment, the hackers forward the victim to a spoofed website or take credit card details over the phone,” said Panda.

Because the messages are sent from legitimate hotel email accounts, victims do not even realize that they’ve been scammed.

Brisk trade for dark web thieves

Panda adds that cybersecurity analysts have spotted Booking.com login credentials selling for $2,000 a pop on the dark web – a murky corner of the internet where cybercriminals frequently buy and sell information, services, and malware.

That suggests a high success rate for this particular scam and would seem to bear out Booking.com’s customer complaint woes, as reported by Panda.

“Booking.com has confirmed that it is aware of the ongoing cyberattacks on its partner hotels and is doing its best to prevent them from happening,” it added.

The cybersecurity firm urges all hotel customers to treat any requests for extra charges with suspicion and cross-check with Booking.com or partner hotels via their main telephone switchboard before paying anything.

“Another red flag for customers is when customers get asked for payment information over the phone or a messaging app,” said Panda. “Legitimate transactions should be able to be processed through an online payment portal [and] hotels rarely require end-customers to share personal info over the phone or a messaging app.”


More from Cybernews:

Bluetooth connections no longer private

One year on: how ChatGPT brought AI to the masses

Apple patches MacOS, Safari, and iOS products

Miami mobster jailed over $4M crypto theft

Signal’s Whittaker slams French govt for app ban

Subscribe to our newsletter