For a few months reports of hackers contacting and Booking.com customers through official email addresses or even the official Booking app have been increasing. According to the BBC, the scams started appearing in March, but have been increasing in frequency since October.
1. How it works
Multiple customers have been reported receiving emails form the “noreply@booking.com” email address, which is the official account Booking.com uses to send information about reservations. Some even received notifications in the Booking.com app, making the scams that much harder to identify.
The content of the text is similar. Guests are informed that their reservation would be cancelled unless they reconfirmed their credit card information via a provided link. The reasons for the reverification vary, such as an alleged problem with checking the information at the first moment of booking, but customers are always given a short amount of time before the reservation is allegedly cancelled.
Creating a sense of urgency is a common phishing method, counting on people thinking something will happen unless they act as soon as possible, not having time to process the information clearly. Similarly, in a maybe crueller scam, older people are called and told that a relative or a close friend has been in an accident and they need to transfer an amount of money for their treatment.
Thus, the messages being sent from the official email address or through the app makes it difficult to recognise the scam for people who are not somewhat familiar with how phishing works.
2. Who got hacked?
Booking.com has rejected allegations that their own servers were breached. On the other hand, partner hotels are also saying it is impossible the problem is on their site. The fact that the hackers work across different hotels in different countries and from Booking.com email would suggest the problem is with the platform, however, a recent analysis conducted by cyber-security company Secureworks shows the point of entry into the system is indeed through hotels.
The company found that hackers contact hotels pretending to be either a former or future guest of the establishment. In the first case, they say they forgot an item or important document at the hotel and send a google drive link, allegedly to a picture of the item, which instead contains malware. In the second case, they pretend they have a long list of requirements and it is easier to send it via email than explain on the phone, then the document containing the alleged requirements again installs malware on the staff computer.
Once the malware is installed, the hackers then gain access at the establishment’s Booking.com account, thus allowing them to send “official” notifications to customers.
“The scam is working and it’s paying serious dividends,” says Rafe Pilling, director of threat intelligence for Secureworks Counter Threat Unit. “The demand for credentials is likely so popular because it’s seeing a high success rate, with emails targeting genuine customers and appearing to come from a trusted source. It’s social engineering at its best.”
3. What can be done
Booking.com has only recently published an online security awareness page on its website, drawing attention to phishing risks, and started displaying a warning message on the bottom of its chat window. “We have also been sharing additional tips and updates with our partners about what they can do to protect themselves and their businesses, along with the latest information on malware and phishing so that they are as up to date as possible on the latest trends that we’re seeing”, the platform said in a statement.
However, Cyber-security expert and podcaster Graham Cluley said much more can be done to increase security. “For instance, not allowing any links to be included in chat which go to websites that are less than a few days old would prevent freshly made fake sites being used to trick customers into paying”, he explained.
Unfortunately, due to the scale and intricacy of the scam, taking down the hackers is not an easy feat. In the meantime, customers should be wary of any messages that ask for urgent payment and, in case they have any doubts, contact the hotel or Booking.com directly.