Travelers targeted with Booking.com refund malware


With travelers spreading their wings for a new season of traveling, attackers are adjusting their campaigns to distribute Agent Tesla malware.

Scammers are targeting users of popular travel-related service providers with malware, masquerading as inquiries from brands such as Booking.com, Forcepoint researchers have revealed.

For example, attackers distribute emails impersonating Booking.com. The letter asks the recipient to check an attached PDF for a card statement.

As anyone who has ever booked a hotel or apartment knows, any last-minute emails from the residence owner can be stressful. Attackers bank on precisely that, as the PDF attachment, in this case, is infected with malware.

Once a user opens the link from the PDF, the URL downloads an obfuscated JavaScript, invoking PowerShell and later deleting the script. The end goal of the attack is to deploy Agent Tesla malware on the targeted system.

“On successful infiltration of the malware, it allows attackers to conduct malicious activities such as data theft and executing commands on compromised systems,” researchers said.

Attackers employ Agent Tesla malware, an advanced remote access trojan (RAT) that functions as a keylogger and information stealer. Agent Tesla is one of the most prominent RATs in circulation, affecting up to 7% of organizations worldwide. The malware targets Microsoft Windows OS-based systems.