Full Report
I recently heard about a wave of scams exploiting Booking.com users. So I went and researched it for myself. I came across a post on the r/travel subreddit about such an incident. [1]The user received a seemingly authentic message with a URL via Booking.com's app. They provided their credit card information and said that “within mere minutes of this, an attempt was made to use [their] credit card for an online purchase.”As others pointed out on Reddit, the most likely scenario here is that the hotel's account with Booking.com has been compromised, or the hotel's own email account was compromised.I then looked up the phishing site sent via the Booking.com in-app messaging system in VirusTotal to find the IP address and checked that in URLscan. As I imagined, the offending IP address had a bunch of other Booking.com phishing domains that resolved to it. This revealed a widespread campaign. [2, 3]Further research on this topic led me to a recent Secureworks blog about threat actors taking it to the next level by stealing Booking.com hotel admin credentials using a well-known Infostealer malware called Vidar. My colleague Tas also recently wrote a blog for Curated Intel on this topic as well. Other open-source blogs have also covered these campaigns in-depth. [4, 5, 6]Unfortunately, this seems like a highly successful online scam. It is leveraging an in-app communications channels and taking advantage of poor security practices by small businesses to exploit the business-to-customer (B2C) relationship. And unfortunately if Booking.com does not address this issue directly, customers may avoid them for safer experiences.Indicators of Compromise (IOCs):https://otx.alienvault.com/pulse/656c7d656b2ac2aa77295072 References:https://www.reddit.com/r/travel/comments/163icx6/urgent_warning_phishing_through_bookingcomshttps://www.virustotal.com/gui/domain/booking.id24144379.date/detectionhttps://urlscan.io/ip/91.215.40.30https://www.secureworks.com/blog/vidar-infostealer-steals-booking-com-credentials-in-fraud-scamhttps://www.curatedintel.org/2023/12/curated-intel-threat-report-multi.htmlhttps://g0njxa.medium.com/un-booking-a-scam-8f8058eb7200
Analysis Summary
# Incident Report: Widespread Phishing Campaign Exploiting Compromised Booking.com Hotel Accounts
## Executive Summary
A widespread cybercrime campaign is underway exploiting compromised Booking.com hotel administrator accounts to distribute phishing links directly to customers via the platform's in-app messaging system. Attackers, often utilizing malware like Vidar to steal credentials, persuade victims to enter payment details on fake sites, leading to immediate credit card misuse. The incident highlights a significant B2C relationship breach due to poor security hygiene at compromised small businesses.
## Incident Details
- Discovery Date: Approximately December 03, 2023 (based on reported incident timeline)
- Incident Date: Ongoing campaign
- Affected Organization: Booking.com (as the vector), various independent/small hotel businesses (as the compromised entity)
- Sector: Travel/Hospitality (B2C platform abuse)
- Geography: Global (implied by the nature of Booking.com usage)
## Timeline of Events
### Initial Access
- Date/Time: Precedes customer compromise discovery.
- Vector: Compromise of the hotel's Booking.com administrator account, potentially through the compromise of the hotel's internal machine via Infostealer malware (e.g., Vidar).
- Details: Attackers gain control over the communication channel between the hotel and the customer.
### Lateral Movement
- Not explicitly detailed in the context of the victims' networks; movement appears focused on achieving persistent access to the compromised Booking.com partner account.
### Data Exfiltration/Impact
- Date/Time: Minutes after victim provides details.
- Details: Victims were prompted via the in-app message to click a malicious link, leading to a phishing site where they entered credit card information, which was then immediately used for online purchases.
### Detection & Response
- Detection: Reports surfaced via social media platforms (r/travel), bringing the campaign to the attention of threat intelligence researchers.
- Response Actions: Researchers analyzed the phishing domains, identified associated IP addresses (e.g., `91.215.40.30`), and tracked the widespread nature of the scam linking multiple phishing domains to the same infrastructure. (No organizational response details provided in the source.)
## Attack Methodology
- Initial Access: Compromise of the hotel operator's administrative credentials, likely via **Infostealer malware (Vidar)** targeting the operator's workstation/email.
- Persistence: Maintaining control over the hotel's Booking.com partner account.
- Privilege Escalation: Not explicitly described, but gaining admin access to the hotel's channel is the objective.
- Defense Evasion: Utilizing the trusted, in-app messaging channel of Booking.com to bypass traditional email security filters.
- Credential Access: **Vidar Infostealer** used to steal credentials from compromised endpoints.
- Discovery: Not applicable to the initial access phase (attackers leverage existing credentials).
- Lateral Movement: Minimal internal movement described; focus is on leveraging the compromised external B2B/B2C channel.
- Collection: Harvesting of victim credit card details directly via a convincing phishing form embedded in the message.
- Exfiltration: Transmission of stolen credit card details over the network to the attacker-controlled phishing server/IP.
- Impact: Direct financial fraud against customers.
## Impact Assessment
- Financial: Direct financial loss to customers due to unauthorized credit card purchases occurring "within mere minutes."
- Data Breach: Credit card numbers, expiration dates, and potentially cardholder names from targeted Booking.com users.
- Operational: Disruption of customer trust in the Booking.com platform's communication integrity.
- Reputational: Potential damage to Booking.com's reputation if the issue is not effectively addressed.
## Indicators of Compromise
- Network Indicators (Defanged):
- IP Address: `91.215.40.30` (Hosting multiple known Booking.com phishing domains).
- Domains resolving to the above IP (Examples include `booking.id24144379.date`). (Note: Specific domain names are highly dynamic and are being used as structural examples.)
- File Indicators: Mention of **Vidar Infostealer** malware being used upstream to acquire credentials.
- Behavioral Indicators: Messages sent via official Booking.com channels demanding immediate credit card updates or confirmations outside of standard Booking.com flows.
## Response Actions
*(Note: The provided text is from a researcher's perspective; organizational response is inferred or generalized.)*
- Containment: Immediate identification and reporting of malicious phishing URLs/IPs to VirusTotal and security vendors.
- Eradication: (Assumed) Cleaning of compromised hotel administrative endpoints, password resets for the compromised Booking.com accounts.
- Recovery: (Assumed) Customer notification and financial transaction monitoring/dispute processes initiated by affected customers.
## Lessons Learned
- The high success rate of this scam demonstrates that relying solely on in-app messaging channels does not guarantee authenticity for the end-user.
- Poor security hygiene (lack of endpoint protection leading to Infostealer infection) at third-party vendors (hotels) creates a significant supply chain risk for the primary platform (Booking.com).
- Attackers are actively targeting the B2B partner layer to facilitate B2C fraud.
## Recommendations
- Booking.com and similar platforms must implement stronger multifactor authentication (MFA) requirements for all partner/admin accounts, especially in low-security environments utilizing shared devices.
- Platforms should strictly control or monitor links shared within in-app communications originating from partner accounts, especially if they request sensitive financial data.
- Hospitality partners must enforce superior endpoint security to prevent Infostealer malware infection which serves as the root cause for account compromise.