News

GOT PRIVACY? — Mysterious leak of Booking.com reservation data is being used to scam customers Somehow, scammers keep accessing customer reservation details, other private data.

Dan Goodin – Feb 8, 2023 1:20 pm UTC EnlargeGetty Images reader comments 9 with 0 posters participating Share this story Share on Facebook Share on Twitter Share on Reddit

For almost five years, Booking.com customers have been on the receiving end of a continuous series of scams that clearly demonstrate that criminals have obtained travel plans and other personal information customers provided to the travel site.

One of the more recent shakedowns happened to an Ars Reader who asked not to be identified by his real name. A few months ago, Thomas, as Ill call him, reserved and paid for a two-night stay scheduled for this July in a hotel in Italy. Heres the legitimate reservation: Enlarge / The real reservation from Booking.com.

Last week, out of the blue, he received two emails. The headers show that the first message came from the genuine Booking.com domain. It purported to have been sent on behalf of the hotel in Italy and asked that he click a non-existent confirm button for his upcoming stay. It went on to inform him that the hotel would also transfer all bookings made from that address to your account. As phishy as that sounds, the email included his full name, the confirmation number of his reservation, the correct name of the hotel, and the dates of the stay. Enlarge / First page of the email. Enlarge / The second page.

A second email purported to also have been sent by Booking.com on behalf of the hotel, but headers show that it was in fact sent by an address from yandex.net. The email included the previously mentioned confirmation button that led to a URL that was generated by the Russian shortening service nah.uy. Advertisement Enlarge / The scammer email containing the continue button.

Clicking on the confirm button led Thomas to an almost perfect replica of the real Booking.com webpage. It, too, showed his name, the dates and hotel of his stay, and the exact fare he was charged and went on to direct him to enter his payment card. Enlarge / The fake Booking.com payment page.

Thomas then received a WhatsApp message sent to the number Booking.com had on file for him. It posed as a message from the hotel he had booked with and asked if he needed parking during his stay. Enlarge

Thomas didnt share any of his travel details online. That means the personal information in these scammer-sent emails came either directly or indirectly from Booking.com. It remains unclear precisely how the scammers obtained it.

At this point, its easy to chalk up the mystery to some sort of isolated slip up. Web searches, however, show that scams with almost all the same elements have been going on repeatedly for at least five years. In this thread from 2018, a Reddit user reported receiving an email informing them that the reservation they made with Booking.com was on hold because the credit card they used during the booking couldnt be processed. Enlarge / A scam email a Booking.com user received in 2018. Page: 1 2 Next → reader comments 9 with 0 posters participating Share this story Share on Facebook Share on Twitter Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Find him on Mastodon at: https://infosec.exchange/@dangoodin Email dan.goodin@arstechnica.com Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars

Articles You May Like

Flight crew member accidentally deploys emergency slide at huge cost
Corporate America lines up to support Trump inuauguration
Company behind Trumps favorite drink goes above and beyond for the inauguration
Consumer watchdog sues major US bank claiming it cheated customers
Harmful dye now banned in US after being put in American food for 118 years