Since 2023, a new type of scam has emerged, scams in the Booking.com internal chat system. In this article, I will share the experience that happened to me and the investigation result that I found from the scamming website.
People (like me) will expect FB Message, Telegram, Twitter or even Signal can get a scam message, because they only need your username or your phone number to contact you, and they are person to person, so strange individuals could be potential scammers. However, I trusted Booking.com internal chat this kind of internal chat system because it is a business to person chat system. However, I was wrong and I feel so stupid. On the day I was in a hurry, I got a message on Booking.com from the hotel I had booked, it said
I have to enter my credit card details to reserve my booking, otherwise they may not be able to guarantee the booking.
This is very common when booking on Booking.com, but it was usually before payment, not after. As an IT professional, I knew so many security practices, but in the rush and trust of a brand, I left them all behind. Now I have deleted my Booking.com account as this type of scam has been going on for about a year (see the message attached below) and it is still happening. Now let’s look at the investigation.
What are wrong on the scamming website
Scam From Europe / French / Algeria?
Scam Website
Scam Website Default Timezone
The default timezone, region and currency are in Europe/Algeria, the timezone is in Paris, but I was in Australia that time.
Scam Visa Credit Form
This credit card form looks legit, but it supports only Visa, even you put a master card, it will preview the credit card information on the top as Visa.
Open my Firefox Inspector
After I suspend my credit card, and contacting the Hotel administrator. I spent some of my time to investigate on the scamming website.
The Credit Card POST request will be posted to this url. https://info.service-id427786413.shop/loading/644661616 (Do not click, even it has been shutdown now. )
However, the response is a 503.
503 Error
I may be lucky here, that my credit card information was not posted to their server successfully, however, I couldn’t take the risk, so I still suspend my credit card on the same day.
From the response we can find out the IP address.
Scam Website Response
The IP Address is 91.241.19.123. After a bit of investigation, I found the IP was a known abuse IP. It was used for Cat Technologies, a company registered in Russia. See more here about the abuse IP result.
Abuse IP Result 91.241.19.102
And I can see the scam service is using PHP for the back-end from the inspector, which a very bad performance, fully load took about 4.7 seconds.
PHP at Scam Website
Investigation Summary
There are many problems with this scam website from the scam message. I am not here to blame Booking.com for not doing their cybersecurity well, but I just want to say how stupid I was. There are some obvious red flags here.
- The URL, it is not under booking.com domain.
- Europe/ French / Algeria, I was in Australia, but the default country is Algeria, and the currency is Euro, the timezone is Paris Timezone.
- The credit card form supports VISA only, no proper business will accept Visa only for online payment.
- The chatbot UI is ugly and not functional
Overall
Even with all these red flags, I still keyed in all my credit card information. However, what happened has happened, what I learnt from this journey is
- Not trust internal chat system, hackers may hack it too.
- Not rush to key your credit card information, give yourself a 10 seconds cool downtime
Tips to Prevent This to Happen
Users
- Check URL before key in credit card.
- Don’t trust any website, even the one you trusted before, in this case, Booking.com.
- Be patient, don’t be scared by the languages in the message, such as “Please do this in 2 hours, or your booking may be cancelled.”
Booking.com
- They should enforce 2FA to all stay owner.
- They should have an end-to-end encrypted chat system.
References
After doing some investigation through Google, it is actually not only me. It has happened for multiple times, and mainly in Australia.
- https://amp.abc.net.au/article/103390292
- https://www.reddit.com/r/AusFinance/comments/18cdnqi/bookingcom_scam_help/
- https://www.reddit.com/r/travel/comments/164fg3a/bookingcom_scam_please_be_careful/
- https://www.reddit.com/r/travel/comments/16db4nx/scam_inside_bookingcom_website/
- https://www.theguardian.com/money/2023/oct/23/bookingcom-customers-targeted-by-scam-confirmation-emails