Scammers are targeting travelers planning their vacations in a new campaign that spoofs popular online travel agency (OTA) Booking.com. The scheme, identified by Malwarebytes Labs , uses malicious CAPTCHA forms to gain remote access to victims’ devices, allowing threat actors to harvest personal and financial information.
How the Booking.com scam works
The campaign begins with links posted on social media and gaming sites, including sponsored ads, that redirect to websites posing as Booking.com—an OTA through which users can search and book flights, hotels, rental cars, and other travel experiences.
When users click the link, they’ll see a fake CAPTCHA pop-up with a checkbox, which gives permission to copy data to the clipboard. The next verification prompt will tell you to execute a Run command on your device with a combination of keystrokes. (FYI: This is never a legitimate CAPTCHA request.)
In the background, the malicious CAPTCHA has copied a powershell command to your clipboard. And if you follow the instructions, the command will download and execute a series of files that install a backdoor Remote Access Tool (RAT)—identified as Backdoor.AsyncRAT—giving threat actors the ability to remotely monitor and control your machine.
How to spot and avoid the Booking.com RAT attack
Check the URL
As Malwarebytes Labs notes, the domains and subdomains scammers are using to carry out this attack change frequently, and some look more more legitimate than others: (booking.)guestsalerts[.]com versus kvhandelregis[.]com, for example. To avoid falling victim to this campaign and those like it, don’t click links from ads or posts on social media, and go directly to the website you want to visit instead.
Head to the site directly
Know that using a general Google search for travel planning may make you more susceptible to malvertising , as cybercriminals can spoof websites to look like popular services—such as booking.com—and have them appear near the top of sponsored results. You should type URLs directly into the address bar or book with the airline or hotel itself.
Be wary of CAPTCHA forms from untrusted sources
You should also be wary of following instructions, such as executing commands, from websites, CAPTCHA forms, or social media videos, which can easily trick you into installing malware .
Finally, you can disable JavaScript in your browser, which will remove clipboard access, though this is likely to break other websites you visit.
