- Experts warn of fake booking.com -websites circulating the internet
- The websites come with a fake “Accept Cookie” prompt downloading a rat
- Buyers must be on their guard when searching for offers
Hackers have been found targeted holidaymakers all over the world with remote access trojans (rat) distributed through fake booking.com site, experts have warned.
Researchers from HP Wolf Security found that cyber criminals have created sites that at first glance look like Booking.com – they wear the same branding, the same color scheme and the same formatting. However, the content of the site appears blurred and over it appears a misleading cookie banner.
If the victims press “Accept Cookies”, they trigger a download of a malicious JavaScript file. This again installs Xworm, a powerful rat that gives attackers full control over the compromised device, including access to files, webcams and microphone. They can also use access to disable security tools, implement additional malware and Exfiltrate access codes and other data.
Peak booking period
HP Wolf Security says that the first discovered campaign in the 1st quarter of 2025, which is “Peak Summer Holiday Booking Period,” and a time when “click fatigue” goes in as potential holidaymakers are ruthless and not paying attention to the places they visit and ends in disaster.
“Since the introduction of confidentiality regulations such as GDPR, cookie prompts have been so normalized that most users have fallen into a habit of ‘click-first, think later,'” commented Patrick Schläpfer, HEP HP Security Lab.
“By imitating the appearance and feeling of a reservation site at a time when holidaymakers rush to make travel plans, attackers do not need advanced techniques-just a good early prompt and the user’s instinct to click.”
There are a few things that users can do to stay in safety and the first is – to slow down when browsing.
Users should also make sure not to click on links in emails or messages on social media, especially for well-established sites such as booking. Instead, enter the address of the browser’s navigation line manually.
