We all know to be on the alert of scams on the internet, but scammers are sophisticated and it only takes a momentary lapse of attention to get tricked. I wanted to share a scam I encountered this week, and the criminally negligent response from a booking platform.
Saturday morning I received a push notification from the Booking.com app, letting me know that I had a message from a property I’d booked for an upcoming trip to Bucharest. The message was stylistically similar to a previous message from the property, and asked me to click a link to confirm my booking. This kind of thing isn’t unheard of with hotels – especially if they have local registration rules they need to comply with.
When I tapped the link though, a few red flags went up. First, the web domain was “host-res51242.com,” but the page was styled to look like Booking.com. Second, it was asking me to enter credit card information to pay for a booking. It was pretty clearly a scam, but a very well done one!
It appears that the property’s Booking.com account was compromised, and the hackers then used all the booking details to generate custom links (the page had the correct dates for the reservation) and to send out the messages. Poking into the source code for the site, I found a few clever bits. They make it look like they’re going to do an SMS verification, but the process proceeds even if you enter an invalid number. There’s also some code running in the background to capture credit card details, even if you never click the submit button. If your browser autofills that information, but then you realize it’s a likely scam, it’s too late – they already have your info. The site itself is hidden behind Cloudflare, but the source code comments in Russian leave little doubt about the folks behind the scenes.
Being a responsible netizen, I wanted to let Booking.com know so they could pull these messages from affected inboxes. I sent a report via their chat submission, but it only promised a 24 hour response. I then gave them a call, and spoke to a very nice man who promised to put in a report. However, more than 24 hours later, the message is still in my inbox, and I’ve had no response from Booking.com. It’s pretty shocking that they don’t have a better system in place to respond to these types of scams. Trust and safety is one of the basic building blocks of having a web platform in 2024, but this $100b travel company doesn’t seem to be that concerned. Shameful!
The best way to protect yourself form this sort of scam is to keep an eye on the domain names of websites you’re visiting – Booking.com would never have content on “host-res51242.com”. I also knew that Booking.com already knew my details, including my credit card info, so it made no sense for them to be asking again.
Stay safe out there! And Booking.com: do better!