Hacked hotel accounts on Booking.com

Attackers are hijacking hotel accounts on Booking.com, and stealing their clients’ banking data through its internal messaging system.

Scamming Booking.com clients through hotel accounts

This season, a new attack scheme is proving very popular with cybercriminals: scamming Booking.com clients through the service’s internal messaging system. To do this, they use compromised hotel accounts on admin.booking.com. Over the past few months, various companies have released studies on incidents of this nature. Here’s a detailed breakdown of how this attack works, and tips on how hotel owners and staff can protect themselves (and their clients).

Infecting hotel staff computers with a password stealer

What we’re dealing with here is a multi-stage attack — B2B2C, if you will. It all starts with infecting hotel computers, but the immediate threat isn’t to the hotel itself — it’s to the clients.

To hijack accounts on admin.booking.com, attackers use specialized malware known as password stealers. Typically, these stealers collect any passwords found on an infected computer. But in this case it seems that Booking.com accounts are what the cybercriminals are specifically interested in.

In particular, one of the abovementioned studies describes a targeted email attack on hotel staff. This attack starts with an innocuous email in which someone poses as a recent guest and asks the hotel staff for help in finding lost documents.

Email from attackers to one of the attacked hotels

The first email from the attackers to the targeted hotel. Source

In the next email, the “guest” claims to have searched everywhere for the lost passport or whatever to no avail, suggesting the hotel is the only possible place where it might be. So, they ask the hotel staff to look for it and, to help the search, provide a link supposedly containing photos of the lost passport.

Second email from attackers to the targeted hotel

The next email from the attackers, containing a link to an infected archive with a password stealer. Source

As you might suspect, this archive contains not the photos of the passport, but the password stealer. After the user clicks on the dangerous file, the stealer searches the system for saved login credentials for the hotel’s account on admin.booking.com, and sends them to the attackers.

Cybercriminals are after hotel usernames and passwords on admin.booking.com

Using a stolen login and password, the cybercriminals gain access to the hotel’s account on admin.booking.com.

Another study on the Booking.com account theft epidemic describes an alternative method of infecting hotel staff computers. In this attack, criminals create reservations using guest accounts (in some cases, probably stolen accounts). They then contact the hotel using Booking.com’s internal messaging system and, under one pretext or another, slip in a link to a malware-infected file — with the exact same outcome as in the previous case.

Stealing hotel accounts on Booking.com and emailing clients

At the next stage, the attackers proceed to directly use the accounts stolen from the infected hotel computers. Everything is made a lot simpler by the fact that Booking.com’s service doesn’t provide two-factor authentication, so accessing an account only requires a login and password.

Upon entering the hotel’s account on admin.booking.com, the criminals study current bookings and begin sending messages to future guests using Booking.com’s internal messaging system. These messages generally revolve around an error in verifying the guest’s payment card information provided during the booking. The “hotel” thus asks the guest to re-enter their card details; otherwise, the reservation will be canceled.

Of course, the messages include links that at first glance appear to resemble genuine links to Booking.com’s booking pages. They contain the word “booking” itself, something resembling a booking number, and in some cases, additional words like “reservation”, “approve”, “confirmation”, and so on.

Of course, upon closer inspection, it’s easy to see that these links don’t lead to Booking.com at all. However, the aim here is to target hasty individuals who, unexpectedly discovering that their planned trip could be ruined, rush to rectify the situation.

Fraud in Booking.com's internal messaging system

] Through Booking.com’s internal messaging system, scammers send hotel clients links to fake booking pages. Source 1, source 2, source 3, source 4

The messages are written in a professional tone and appear quite plausible. It should also be noted that the text of such messages varies considerably from one described incident to another. Apparently, a number of criminals are using this scheme independently of each other.

Fake copies of Booking.com and stealing bank card data

The final stage of the attack ensues. By clicking on the link in the message, the hotel’s client lands on a fake page — a meticulous copy of Booking.com. These pages even display the correct guest name, information about the hotel where the victim intends to stay, dates, and price — all of which the scammers know because they have access to all the booking data.

The only thing that gives it away is the link in the address bar. However, the scammers distract the victim from paying attention to such minor details by rushing them: the page claims that these dates are in high demand, so “10 four-star hotels similar to this one are already unavailable”. The implication, of course, is that if this booking fails, finding alternative accommodation won’t be easy.

Fake Booking.com booking page

On the fake Booking.com page, the client of the hacked hotel is asked to enter their card number to reconfirm the reservation. Source

The victims are urged once again to confirm the booking as quickly as possible. Moreover, it’s easy to do: just re-enter the payment information. Obviously, the card details then fall into the hands of the criminals — mission accomplished.

Selling hotel logins and passwords for Booking.com

It’s worth mentioning that here, as in almost any other cybercriminal scheme, we see a tendency for narrow specialization. Apparently, some criminals collect hacked Booking.com accounts, while others exploit these accounts to deceive hotel clients. In any case, advertisements offering substantial sums for logins and passwords from admin.booking.com accounts can be found on hacker forums.

Offer for the purchase of hacked Booking.com accounts

Listing on an underground forum, where the authors are willing to pay generously for hacked Booking.com hotel accounts. Source

Another offer for the purchase of hacked Booking.com accounts

Another listing offering decent money for hacked admin.booking.com accounts. Source

Yet another group of criminals, providing subscription-based services to search for stolen credentials in stealer malware databases, have recently added admin.booking.com to their list of searchable data.

Announcement of the addition of admin.booking.com to the list of supported services

One of the services offering paid searches across databases of stolen passwords has learned to function with admin.booking.com accounts. Source

All of this suggests that the popularity of this criminal scheme is only growing; therefore, there’ll likely be more hacks of hotel accounts on Booking.com and more affected clients in the future.

How to protect against theft of admin.booking.com accounts

Even though these attacks directly threaten hotel clients rather than the hotels themselves, the hotels still have to deal with the backlash and somehow compensate the affected parties to avoid any reputational damage. And in general, hotel computers getting infected is bad news — today, cybercriminals are hijacking Booking.com accounts; tomorrow they’ll come up with another way to monetize this infection. Therefore, it’s absolutely necessary to protect against this threat. Here’s what to keep in mind:

  • Storing passwords in your browser is not safe — that’s where stealer malware always looks for them.
  • To store passwords well, use a specialized application — a password manager — that will take care of their security.
  • It’s essential to install reliable protection on all your devices used for business.
  • And take particular care of the security of those computers that employees might use to communicate with strangers — they’re the ones more likely to become the target of an attack.