Un-Booking a Scam

g0njxa
10 min readOct 12, 2023

--

Read about the latest malware campaigns involving hotels at Booking.com and how this can be linked to scams all around the world.

Booking.com is an online travel agency used by millions of users all around the world (including threat actors!).

A. Distribution of malware to hotels

In the past few weeks we have seen a rise in phishing emails targeting Booking owners and delivering malware (infostealers) to them via fake inquiries.
Security researcher @JAMESWT_MHT has shared some of these examples, with Italian hotels as the target victims:

JAMESWT on X: “#booking #spam email spread #stealer #arkei #vidar Url pw 123456 https://mega].nz/file/YiFWTR4R#pFTR3UVIbt74svnyGET17xMP2jIEXr072icms7sAvdM Run https://t.co/5nIV2lEAHW C2 94.228.162.]50 https://t.co/lhdfKQsg7m" / X (twitter.com)

JAMESWT on X: “And we got another #BOOKING #RedLineStealer reply 😅😂🤣 and @JAMESWT_MHT answer as usual in “God Mode”👺 Samples Collection https://t.co/AZWGbdpgjr Urls https://t.co/FoDUfKTHuK ❇️This saga is getting really fun🤪 https://t.co/Q6gbuRmBuj" / X (twitter.com)

You may see all the shared examples for further reference
https://twitter.com/search?q=from%3A%40JAMESWT_MHT%20booking

Related:

www.difesaesicurezza.com/en/cyber-en/cybercrime-lumma-stealer-campaign-via-fake-hotel-reservation/

Not only Italian, also Andorran hotels suffered from a similar Booking campaign: via alpine-security

www.anc.ad/hijackloader-els-hotels-dandorra-esdevenen-els-objectius-datac-una-analisi-tecnica/

As seen, the main objective of these campaigns would be to steal credentials from hotel owners. There is an unexpected demand for admin.booking.com valid credentials, and the only way to get these from someone would be steal them from the hotel owners.

Forum announcements

I can’t assure when this guy started working on this request for malware logs, first reference to his work is September 2nd, 2023. Since this date, screenshoots up to a total of $7124.42 have been shared as proof of payment in the thread, with the last post made as October 7th.

More forum threads appeared recently requesting booking logs:

Translated from Russian

Also spammed at Telegram groups,

Telegram announcements

Due to the large nature of the Booking website, its name has been used in previous malware campaigns via fake invoices on email, as seen last year. I strongly believe the past campaigns have any relation with the actual ones. Reference:

Detectan una nueva estafa en la que se hacen pasar por Booking para instalar malware (lavanguardia.com)

“Nueva reserva de última hora” Correo suplantando a Booking usado para propagar malware — Protegerse. Blog del laboratorio de Ontinet.com

So let’s start asking questions. How to approximate an hotel administrator to deliver malware? Let’s just see their methods!! Somehow in Russian.
(I will not disclose the entire document)
Translation to English (March 2023)

Step 1. Registering a Guest account

In the example, the information of a Colombian individual is used to register the account, they also share payment information from a Dutch woman. This is mandatory information in order to create an account that can book hotels all around the world.

The next step would be to find a hotel that you can book with free cancellation a few days before the booking day and those that doesn’t require you to make a payment until arrival day. It may seem odd, but is something quite common at the Booking website.

This Spanish hotel doesn’t meet the needs
This hotel can be used into the scam — This is a German hotel

Then, threat actors just need to contact the hotel after a fraudulent booking has been made. The booking has been done, but no payment has been received by the hotel owner. At this point, guests with a reservation can contact hotel owners via email.

Approximate the hotel owners
Final message with a malicious link containing a Redline sample

Detonation: Analysis https://bit.ly/Google-Maps_Jacob-Martin-Photo Malicious activity — Interactive analysis ANY.RUN

C2 >>> 185.106.92.140:44756 (Now Dead)

I believe this exact message has been used in any real campaign, anyway can’t be confirmed. You see the similarities with the previously exposed real campaigns on Booking?

Caution

They say the work ratio is 10 successful phished owners every 100 tries. Let’s consider this a true statement.

B. Using stolen accounts

Let’s move on. What do they do with the booking administrator’s stolen credentials?

When a threat actor breaches an hotel account on Booking, can he withdraw the remaining credit balance on the account? If so, this would be the first move, and from where account vendors are getting their fee profits. Also new payments received since the infection date will be redirected to threat actor wallets.

Of course, a real hotel administrator would have other interesting credentials to threat actors, but I focus on Booking

Then, what to do with an empty account, but still verified?
Introducing “Scam 1.0" (That’s how they named it)
“Bypass anti-fraud on Booking” method

To summarize (Translation from Russian) :

That’s it, setting up fake booking properties and redirecting clients to fake payment walls. This is where the carding appears, stealing customer payment information via phishing sites.

Mammoth is a Russian slang for a phising/scamming victim

This behavior has been reported recently on Singapore citizens:

Hotel booking scam claims at least 30 victims since Sept, with losses totalling $41,000 | The Straits Times

Related:

Blog elhacker.NET: Oleada de estafas de hoteles a través de Booking

There’s a recommendation on working with Italian and French hotels.

With these statements, that would mean there are fraudulent hotels operating on Booking.

As said before, we totally moved out of the malware ecosystem, at this point, carding groups are responsible for everything done, and the main objective is to commit financial fraud.

C. Individuals behind scams — workers

Somehow people who are committing crimes always like to post publicly about their activities. If they can search for it, why shouldn’t I??

1. Malware threat actors

Let’s start talking about the people delivering malware to hotels.

A bunch of individuals behind the moniker “rachid” have kindly shared a list of his malware logs between July 26, 2023 to October 2, 2023.
(if you are enough involved at infosec you must know what’s this, nothing is going to be explicitly disclosed as it can be considered sensitive)

Victim screenshoot | June 16th — Turkish hotel (reservations : 12 | total amount : 787.72 €)

Allergies? We’ve seen that!

JAMESWT on X: “#StealC #stealer from #fake #booking #allergy #spam email 💼Samples https://t.co/Ur0H51gyUr 🏃‍♂️Run https://t.co/nETxV6cxz5 🛡️Url https://t.co/JKa0DV2Fs2 💥C2 45.9.74.]92/7a03fb9d4773da33.php https://t.co/U2iLTTnMNR" / X (twitter.com)

Rachid is using META stealer (NOT REDLINE), he shared the first test check, on his machine.

RACHID host — You can see his META panel

VPS 116.203.68.128 — AS24940 hetzner online gmbh
RDP open: DESKTOP-TJJ4KTA

From a total of 2953 host list, 553 were unique IPs.

Further information: IP Summarization Results of 553 IPs — IPinfo.io

Please note that several hosts were infected repeatedly, either by executing the stealer more than once in a short period of time or via task scheduler every 24 hours until infection is detected. As example, this happened to a Balearic Islands (Spain) host, infected at 15.09.2023 19:00:28 and sharing a daily log until 25.09.2023 09:41:43 (last infection).

Rachid started sharing his admin.booking.com checks between July 26, 2023, and October 2, 2023. 86 days when major activity happened since September 12, 2023.

From these 553 hosts, a total of 266 alledgelly contain admin.booking.com cookies or passwords. Only 133 of them are unique, from different IP ranges. That means different computers from the same hotel have been infected by the same stealer.
Others had only booking.com information or any of both.

Further Information — IP Summarization Results of 266 IPs — IPinfo.io

So let’s make statistics. 2953 total logs, of which 18.73% are unique, and only 4.50% are from unique hotel owners. If we pay attention to the “100 emails sent to 10 logs received” rule exposed before, that would mean up to 1–2 thousand emails were sent in a period of 68 days (15–30 emails per day).

This effort would mean someone is getting paid very well.

The only disclosed hotel name that has been shared under rachid activities is French Hôtel Observatoire Luxembourg | Paris Quartier Latin | Site officiel (observatoirehotel.com). Infected 18.07.2023 10:15:07

Not from this source, I was able to find the report of 3 hotels back in May:

Real companies — Two Indonesian and one Mexican hotels

At this point Ihave serious doubts about these messages, either are logs submitted about these hotels, or someone that has used this hotels to phish people into a fraudulent site. Both options mean a compromised hotel.

2. Scam threat actors

Please note that malware operators and scammers are related. The same users behind rachid are behind other monikers incarding & scamming groups.

Understanding the whole carding/scammers environment will be a vast job to do that will never be completed. Also, financial fraud is an activity that I strongly condemn and makes me sick, so going through every group/sites will be just impossible. I will focus on the first ones who appeared in my searches.

There are specialized scamming communities that have been very active since a lot of months ago, and it is very exhausting to go through every movement that is disclosed by these groups. Like malware operators, they like to share things, in this case, payments received by every of its workers.

Let’s expose some of these groups activities.

Under the moniker “Butterfly”, a scam community has been set up. Specialized on “Booking 1.0” scams, a total of 14,319.64€ has alledgelly been collected in 49 fraudulent scams (~$310 per scam). Examples:

More big scamming groups (no name is going to be disclosed) rely on Booking scams as a financial method.

From this one, a total of 99,312€ has been allegedly earned ONLY in the month of September (09.01 – 09.30). Examples:

A total of 1,657 scam operations has been done by this group involving Booking since 11/11/2022, the most recent at the time of writing this, October 11th 2023.

Some others directly posting fraudulent wire transfer screenshots:

There are several individuals working in groups like the ones previously exposed making several thousands of cash on scams.

C. Other ways of scamming

While doing this research, I noticed these scamming groups have other ways to make profits. Booking is just one of them, nowadays, the most profitable.
Introducing (very briefly) the Scam 2.0

Translated from Russian

Some user asking for phone numbers in order to start scam on Vinted:

Sites that are actively being exploited by scammers are:
Vinted, Wallapop, Milanuncios, Subito, Olx, Ebay, Leboncoin, Dpd, Carousell, Quoka, Kuldnebors, Etsy, Depop, Willhaben among others.

Threat actors just likes to show off, like usual.

Some individuals meeting somewhere at Belarus (Svayak vodka + J.Hardy grapefruit) | Cashing out Ukrainian hryvnias

C. Prevention

As a guest, please never trust deals off the platform and double check payments ways offered to you. When in doubt, do not proceed to send any information about yourself. Report suspecting behaviors.

As a Booking partner, please follow Booking guidelines, your account is a very sensitive point and can be used to both harm yourself and other people:

Online security awareness: phishing | Booking.com for Partners

Online security awareness (malware) for accommodation partners | Booking.com for Partners

Online security awareness: social engineering | Booking.com for Partners

PS:

You can always contact me if you think something that has not been disclosed here would be interesting for your investigations. Everything on the blog is public information and searchable to everyone.

Have a nice day,

@g0njxa

--

--