“Hackers are increasing their attacks on Booking.com customers by posting adverts on dark web forums asking for help finding victims,” the BBC reported last week. “Cyber-criminals are offering up to $2,000 (£1,600) for login details of hotels as they continue to target the people who are staying with them.”

The way the typical scam works is that fraudsters gain access to a hotel’s extranet. They install malware, access passwords, and mimic IP addresses as a way to bypass two-factor authorization. The cyber criminals use the hotel partners’ login credentials to enter their Booking.com accounts, and then send urgent messages to customers prodding them to send funds to the scammers or risk losing their reservations, for instance.

Is It a Hack of Booking.com?

Booking.com emphasizes that the hackers aren’t gaining access to Booking.com’s backend systems, but acknowledges that the scammers indeed have broken into hotel partners’ Booking.com accounts. The hackers can then send communications to Booking.com customers/hotel guests, urging them to send money to the fraudsters. “The hackers then message customers from the official app and are able to trick people into paying money to them instead of the hotel,” the BBC reported. “Hackers appear to be making so much money in their attacks that they are now offering to pay thousands to criminals who share access to hotel portals.”

On a The Hidden Wiki, a popular dark web directory, “Booking.com Scam” is the top trending topic. Source: The Hidden Wiki

Booking.com issued this statement about the issue: “While this breach was not on Booking.com, we understand the seriousness for those impacted, which is why our teams work diligently to support our partners in securing their systems as quickly as possible and helping any potentially impacted customers accordingly, including with recovering any lost funds.”

Booking.com — and other online players such as HomeAway/Vrbo years ago — have been the targets of these sorts of cyber crimes for an extended period of time, and Booking.com has been unable to make the problem disappear. The company said it helps customers recoup lost funds, supports its partners in trying to make their systems secure, and has been publishing best practices on how to avoid these scams.