Hackers have managed to steal the login credentials of an unknown number of hotels advertising on Booking.com. Scammers pose as the hotel and approach customers with an excuse to take money. Booking.com advises customers to be careful with payments and not to share credit card information outside the platform.
The scam trick works as follows. Hotels that are active on Booking.com receive an email from hackers. The email in question contains an attachment infected with malware. Once the rogue file is opened, the malicious software takes control of the hotel's Booking.com account.
Then hackers use the account's messaging system to send spam to guests who have booked a hotel room or other form of lodging. The message states that there is a problem with their credit card. Guests are asked to pay again. If they do not, their reservation is canceled.
Since it appears as though the email comes from the hotel and the reservation details match the actual vacation dates, relatively many vacationers fall for the message. On Reddit, there are dozens of stories of victims warning others about this scam campaign.
It is unknown how many hotels the hackers stole the login information from. Marnie Wilking, head of security at Booking.com, told BNR that "only a small fraction of one percent" of the 28 million accommodations registered on the platform were affected.
Wilking stressed that the attackers only snatched login credentials from hotels on the platform. Booking.com's systems would not have been hacked. Employees of the company, she said, are doing all they can to help affected partners secure their systems.
Vacationers who have fallen victim to this scam can contact Booking.com customer service. Employees will then do everything possible to help them get their money back.
Rik van Duijn, founder of cybersecurity agency Zolder B.V., explains the dilemma companies like Booking.com face in securing their systems. "Every threshold you impose on your customers translates back into less income. So the heaviest means are not always resorted to when combating this type of fraud. For a company like Booking, investing in security also remains a trade-off," he explains.
With this type of fraud, it is often the customer who pays the cost. "How many resources Booking.com want to put into this depends on how much damage Booking.com itself suffers," the security specialist said.
