The attack boils down to sending phishing emails that contain a url that looks like a legitimate booking.com url but is actually this url. Note the unicode characters that can make it seem like a booking.com url:
Edit: HN presents the unicode characters in the domain in a way that makes it clear they're not slashes (well done HN!) so you'll need to look at the url when you hover over it.
1 comment
[ 0.15 ms ] story [ 14.9 ms ] threadhttps://account.booking.xn--comdetailrestric-access-ge5vga.w...
More info here (the video refers to this page describing the attack): https://www.bleepingcomputer.com/news/security/bookingcom-ph...
Edit: HN presents the unicode characters in the domain in a way that makes it clear they're not slashes (well done HN!) so you'll need to look at the url when you hover over it.