I haven't seen what the website(s) the scammers sent the users to looks like, but this is the kind of thing I could even see myself falling for, specifically because its a level of jank that would not be surprising from the industry.
That's a standard from industry that you will still get from most traditional hotels, unless you book them at a no cancelation discount rate through booking.com.
I prefer hotels, and dislike how booking mixes in airbnb type places. I've been using google maps to find hotels and then just book directly with them.
Go to the hotels website directly. Booking.com is terrible. They don’t even mediate any payments and simply pass all your CC details to the room provider. For a chain hotel, not great, but for some random B&B provider in another country - you might as well just hand your CC to scammers.
Book online directly. The hotels hate OTAs (Online Travel Agents). You can typically find better terms direct on the hotel website (e.g. breakfast included or more flexible cancellation).
If you are in a financial position where you need to watch every penny, then take the extra time and effort to book by phone or email, because in some jurisdictions the hotels have rate-parity clause which means the hotels can't advertise a lower rate on their website than you can find on the OTA website. This probably mostly applies in North America, this sort of thing is likely illegal (or verging on ) in Europe so you're unlikely to get a better deal than a European hotel offers on its website already.
If you like the big US chain hotels (Hilton, Marriott etc.) and you travel reasonably frequently then pony up for an AMEX premium-tier card which gets you access to AMEX rates, and also some perks (e.g. premium WiFi for free, late-checkout etc.).
Well, standing right in front of them, they have you over a barrel. What, are you going to call an Uber and go to another hotel in the hope that they have rooms?
They may be able to get a refund from their bank, but this may depend on their bank's policy and how negligent the customer was.
They will have gone through security on their bank's app or website, which will have warned them about common scams like this and told them to check that what they are doing is legitimate.
I am assuming this is an "Approved Push Payment" scam where people are transferring money from their bank account directly to the fraudster, rather than by using a credit or debit card. If the payments were by card then a chargeback should be easy to file.
Booking.com says the hotel is at fault for having their credentials leaked; the hotel says booking.com failed to protect their account, the bank says the user was phished so it’s not their fault.
IMO if booking.com offers a messaging service which lends far more authority than “just a random person SMSing you” then they’re on the hook for this.
The whole company is basically fraud so is anyone surprised?
The use dark patterns all over their website to their customers and pressure hotels in accepting lower rates or be defacto blacklisted. Another middleman we don't need nor want.
My mother (against my strong advice) booked something on booking.com for ~$6.5K and then couldn't find any evidence of in their "My Trips" interface. I advised her to call the credit card and file fraud. Instead, the customer support agent of the credit card gave her some 1-800 number for booking.com customer support (Booking.com doesn't offer 1-800 number) and when she called it, someone with strong Indian accent wound up resetting her google account and tried to take over her Gmail. Fortunately I made sure she was 2FAd there, so between her calling me panicking because her mail was blocked and us recovering it only took ~20 minutes.
The credit card company refunded her money, and the hotel she was trying to use gave her a great deal and she's out there right now skiing. So all is well. But never more booking.com for her I am pretty sure.
Booking.com's common user scenario is budget ~50-200$/night hotels and apartments for 1-2 weeks where the support and reviews really help, anyone spending this kind of money on trips can of course get better deals without the ~15% platform tax.
Booking also has one feature that I've not seen replicated elsewhere: you can search for rooms that include bathtubs (not just showers). This is often a challenging thing to find in Europe. My wife has long enough hair that she can't really wash it more than once a week; it would dry out too badly, not to mention the time commitment to dry it all.
These media reports are REALLY misleading, and I would be fuming if I worked at Booking.com at how much damage these media reports have done to the brand.
> The company, which is one of the biggest hotel and holiday websites in the world, has not itself been hacked.
>
> Instead, criminals have tricked their way into the administration portals of individual hotels that use the service.
>
> This enables them to send messages and fool customers into paying them instead of the hotel.
Previous headlines from the BBC have been even worse:
- Booking.com users angry at firm's response to hacks
- Booking.com hackers increase attacks on customers
How is this not libel?
Genuinely: What do people here think that are Booking.com supposed to be doing about this? Any sophisticated phishing group aren't going to be making rookie errors like hotlinking images when they set-up a phishing siter impersonating Booking.com. They're already doing DKIM signing, DMARC and SPF.
It's unclear to me if the phishing groups are sending emails out directly using the stolen personal details, or using some sort of in-app messaging functionality. If it's the latter I don't think booking.com even supports linking URLs in messages sent out via this mechanism.
> Booking.com hackers increase attacks on customers
Any reasonable person would read this headline and assume Booking.com's platform had been hacked.
> Criminals then send a Google Drive link to the staff saying that it contains an image of the passport. Instead the link downloads malware on to staff computers and automatically searches the hotel computers for Booking.com access.
> Genuinely: What do people here think that are Booking.com supposed to be doing about this?
Not having a messaging system that lends authority to messages if they aren't able to secure it (including assuring that partners with access secure their ends) adequately for the appearance of authority that is created.
The messaging system is full of disclaimers ("The content of the message from Malmaison was not generated by Booking.com") and, looking at a message I've received, it doesn't even support links. Anyone getting phished would have to manually type in a URL in their address bar if this was the vector used.
They post bank account details for the customer to send a payment to.
Manually typing a link may not seem suspicious to many customers anyway.
Edit: Looks like the scam may involve credit/debit cards and links. The messages may be sent to customers via email, and the links are clickable that way. Not sure if that's an email client thing or if Booking.com makes them clickable in HTML.
> They post bank account details for the customer to send a payment to.
This is even less credible to me than a phishing site set-up to take card details. As soon as you try to make a payment to a scammer's bank account, confirmation of payee will fail because the bank details won't match the hotel's. It should also raise alarm bells because it's a completely out-of-character thing to be asked to do prior to a stay with a hotel.
PSD3 covers international IBAN verification and will, thanks to regulation, ensure that this works cross-border. I think the technical aspects are fairly similar to CoP as we have it in the UK. Even in its absence though, the international payment flow puts enough friction into the process it would probably ring some alarm bells for a potential victim.
I have received one of these scam messages in the app - they do indeed contain clickable links which go to a replica of the real website, where customers are asked to input credit card details to "confirm their booking". In my case the message promised "your card will not be charged at this time".
I must say it's a clever approach; generally poor English in messages is a red flag for scams, but you tend to forgive that when you know it's coming from a hotel in another country.
>After exchanging messages with who she thought was the hotel in Cairo via the Booking.com app, she was sent a payment request. It had in fact come from scammers.
"I clicked on it not suspecting it was a scam, given it was in the same ongoing chat in the app," she told the BBC.
Are you sure? This makes it sound like whatever account hackers gained control of was able to send messages directly to the app. If they log into a booking.com portal to do that, and booking.com hasn't set up multifactor authentication, they aren't blameless.
Hacks or not, Booking site answer to your issues is "whatever". I got an apartment once turning out to be infested with roaches, and when I complained to the owner they kicked me out and marked me "no show" in Booking. Thus I was unable to ask for refunds, or even to leave a review. Booking answered my calls quickly but did absolutely nothing about them, positive or negative, the different operators just listened and oohed and "we will come back to you". My bank was understanding enough to refund my payment (all discussions and apartment pictures were documented) but honestly I have no idea whether they just swallowed the CC risk or blocked the payment.
39 comments
[ 3.5 ms ] story [ 109 ms ] threadWhat alternatives are people using?
That said I've stayed in some really downtrodden "hotels" I'd booked on booking.com that looked OK in photos but were not up to scratch in reality.
Book online directly. The hotels hate OTAs (Online Travel Agents). You can typically find better terms direct on the hotel website (e.g. breakfast included or more flexible cancellation).
If you are in a financial position where you need to watch every penny, then take the extra time and effort to book by phone or email, because in some jurisdictions the hotels have rate-parity clause which means the hotels can't advertise a lower rate on their website than you can find on the OTA website. This probably mostly applies in North America, this sort of thing is likely illegal (or verging on ) in Europe so you're unlikely to get a better deal than a European hotel offers on its website already.
If you like the big US chain hotels (Hilton, Marriott etc.) and you travel reasonably frequently then pony up for an AMEX premium-tier card which gets you access to AMEX rates, and also some perks (e.g. premium WiFi for free, late-checkout etc.).
They will have gone through security on their bank's app or website, which will have warned them about common scams like this and told them to check that what they are doing is legitimate.
https://www.psr.org.uk/our-work/app-scams/
I am assuming this is an "Approved Push Payment" scam where people are transferring money from their bank account directly to the fraudster, rather than by using a credit or debit card. If the payments were by card then a chargeback should be easy to file.
Booking.com says the hotel is at fault for having their credentials leaked; the hotel says booking.com failed to protect their account, the bank says the user was phished so it’s not their fault.
IMO if booking.com offers a messaging service which lends far more authority than “just a random person SMSing you” then they’re on the hook for this.
The use dark patterns all over their website to their customers and pressure hotels in accepting lower rates or be defacto blacklisted. Another middleman we don't need nor want.
> The company, which is one of the biggest hotel and holiday websites in the world, has not itself been hacked.
>
> Instead, criminals have tricked their way into the administration portals of individual hotels that use the service.
>
> This enables them to send messages and fool customers into paying them instead of the hotel.
Previous headlines from the BBC have been even worse:
- Booking.com users angry at firm's response to hacks
- Booking.com hackers increase attacks on customers
How is this not libel?
Genuinely: What do people here think that are Booking.com supposed to be doing about this? Any sophisticated phishing group aren't going to be making rookie errors like hotlinking images when they set-up a phishing siter impersonating Booking.com. They're already doing DKIM signing, DMARC and SPF.
It's unclear to me if the phishing groups are sending emails out directly using the stolen personal details, or using some sort of in-app messaging functionality. If it's the latter I don't think booking.com even supports linking URLs in messages sent out via this mechanism.
Nothing in the report or what you have quoted is misleading.
Any reasonable person would read this headline and assume Booking.com's platform had been hacked.
> Criminals then send a Google Drive link to the staff saying that it contains an image of the passport. Instead the link downloads malware on to staff computers and automatically searches the hotel computers for Booking.com access.
How would 2FA stop this?
https://www.theguardian.com/money/2023/oct/23/bookingcom-cus...
Not having a messaging system that lends authority to messages if they aren't able to secure it (including assuring that partners with access secure their ends) adequately for the appearance of authority that is created.
They post bank account details for the customer to send a payment to.
Manually typing a link may not seem suspicious to many customers anyway.
Edit: Looks like the scam may involve credit/debit cards and links. The messages may be sent to customers via email, and the links are clickable that way. Not sure if that's an email client thing or if Booking.com makes them clickable in HTML.
This is even less credible to me than a phishing site set-up to take card details. As soon as you try to make a payment to a scammer's bank account, confirmation of payee will fail because the bank details won't match the hotel's. It should also raise alarm bells because it's a completely out-of-character thing to be asked to do prior to a stay with a hotel.
I must say it's a clever approach; generally poor English in messages is a red flag for scams, but you tend to forgive that when you know it's coming from a hotel in another country.
Not pretending it's not their problem, as a start
Because it absolutely is
Then, work with hotels so that communications from them are authenticated in some way
Are you sure? This makes it sound like whatever account hackers gained control of was able to send messages directly to the app. If they log into a booking.com portal to do that, and booking.com hasn't set up multifactor authentication, they aren't blameless.