Booking.com customers have been warned of a “well-designed scam” that has seen account details sold on the dark web.
Cybersecurity firm Secureworks said criminals are targeting the website’s partner hotels to steal user details.
They then send phishing emails to the customers, claiming their reservation will be cancelled if they do not provide payment information urgently.
Rafe Pilling, director of threat intelligence at Secureworks, said the tactic was seeing a “high success rate”, and Booking.com said it was aware some of its partners had been affected in recent months.
“While this breach was not on Booking.com, we understand the seriousness for those impacted, which is why our teams work diligently to support our partners in securing their systems as quickly as possible and helping any potentially impacted customers accordingly, including with recovering any lost funds,” it said.
The scam unfolds in two phases, starting with hotels themselves being targeted by scam emails.
They often claim to be from a guest who has left valuable documents during their stay, who then sends a follow-up email directing the hotel to a Google Drive link purporting to show an image of the lost item.
The link actually contains malware called Vidar Infostealer, which allows the criminals to access the Booking.com account portal that people use to make their reservations.
From there, they can target the customers.
Look out for ‘sense of urgency’
In one case involving a hotel in Scotland, a receptionist was duped by a scam caller who claimed to want to book a room for herself and her child with serious allergies.
They said it would be easier to email a document outlining the child’s allergies to determine whether the hotel could accommodate them, and the attachment contained the malware.
It gathered details of all the hotel’s Booking.com customers and sent them fraudulent emails saying they had 24 hours to pay.
Jude McCorry, chief executive of Scotland’s Cyber and Fraud Centre, told Sky News it was a “well-designed scam” that less tech-savvy people would find it “very difficult” to identify.
She said a “sense of urgency” in demanding money was often a tell-tale sign that something could be wrong.
Secureworks has found Booking.com credentials being sold on dark web forums for up to $2,000 (£1,576).
It said the scam was not an easy one to close down because it relies on Booking.com and its partner hotels having effective controls in place, as well as employees and customers recognising the threat.
The company has recommended that hotels make staff aware and teach them how to identify such attacks, while customers should use multifactor authentication to protect their accounts.
They should also question any emails or app messages requesting payment details, and contact Booking.com or the hotel directly if they have concerns.
Read more tech news:
Nasty scams to avoid while shopping online
Astronomical first found in neighbouring galaxy
Elon Musk tells fleeing advertisers to ‘go f*** yourself’
Booking.com said online fraud was a “pressing issue across many sectors” and the company has made “significant investments to limit the impact of these ever-evolving tactics”.
“Due to the rigorous controls and the machine learning capabilities we employ, we are able to detect and block the overwhelming majority of suspicious activity before it impacts our partners or customers,” it added.
“We have also been sharing additional tips and updates with our partners about what they can do to protect themselves and their businesses, along with the latest information on malware and phishing so that they are as up-to-date as possible on the latest trends that we’re seeing.
“In terms of some practical steps that customers can take to remain safe online, we recommend vigilance and that people carefully check the payment policy details outlined in their booking confirmation.
“If a property or host appears to be asking for payment outside what’s listed on their confirmation, they should reach out to our customer service team for support.
“Also, it’s good to remember that no legitimate transaction will ever require a customer to provide their credit card details by phone, email, or text message (including WhatsApp).”