Scammers have devised a sophisticated hotel booking scam by hijacking Booking.com accounts, prompting guests to share their payment card information. Researchers from Secureworks warned that customers received deceptive emails or in-app messages, appearing to be from hotel owners, requesting payment details for upcoming stays.

Victims were directed to malicious URLs, enabling scammers to withdraw money from their accounts. One attack involved a scammer posing as a former guest, initially gaining the recipient's trust before providing a Google Drive link containing malware to access the hotel's Booking.com account.

The hotel booking scam involves a multi-step process, making it more convincing and successful. Scammers initially establish trust through email interactions, requesting favors from hotel staff. The second email contains URLs to seemingly legitimate documents hosted on services like Google Drive, Dropbox, or Mega, concealing infostealer malware. This approach, involving a series of interactions and password-protected archives, sidesteps rational scrutiny, creating a false sense of security. The scam has been ongoing since at least March 2023, with hotels reporting abuse of Booking.com's messaging mechanism and customers sharing their experiences of being targeted.

To safeguard against such scams, organizations in the hospitality and travel industry are advised to implement multi-factor authentication on Booking.com accounts, educate employees about social engineering campaigns, and double-check URLs before opening them. Customers are cautioned to be wary of emails or app messages requesting payment details, even if seemingly legitimate, and remain vigilant to potential phishing attempts. The hotel booking scam underscores the need for heightened cybersecurity measures in the hospitality sector to protect both businesses and customers from evolving cyber threats.