Alert for Travelers: Phishing Scams Targeting Booking.com Users

Phishing scams, a form of social engineering, deceive victims into sharing sensitive data by impersonating trusted organizations. Attackers commonly pose as banks or companies through emails, texts, or calls, urging victims to click on malicious links or attachments. Cybersecurity experts at OSINTMATTER have recently alerted travelers to phishing attacks disguised as Booking.com communications.

Booking.com Themed Phishing Attacks

Fake Page
Fake page (Source – OSINTMATTER)
Cloaked URL (Source – OSINTMATTER)

A sophisticated phishing attack has targeted “Booking[.]com” by compromising hotel managers’ accounts to scam customers. The attackers used a fake domain, extraknet-booking[.]com, which closely mimicked the legitimate extranet-booking.com. JavaScript obfuscation, including Cyrillic text, hinted at potential Russian origins.

The attack employed SEO poisoning to boost the fake site’s search rankings and used advanced techniques such as STUN binding requests and UDP hole punching to maintain access and potentially exfiltrate data. Researchers also identified the involvement of the Ninja Trojan, a complex malware that can evade detection by loading directly into memory.

A key element of the attack was dynamic cloaking, which allowed attackers to display either a fake Booking[.]com portal, the real site, or error pages based on the user’s IP address and browser. The phishing infrastructure included an iFrame linked to hundreds of other malicious pages, serving as a central hub for distributing harmful content. The attack’s goal appeared to be infecting hotel managers’ devices and exploiting Booking[.]com’s chat system to distribute malicious links to customers.

Share this post :