- Experts warns of fake Booking.com sites circulating the web
- The sites come with a fake “Accept Cookie” prompt that downloads a RAT
- Shoppers should be on their guard when searching for deals
Hackers have been found targeting holidaymakers around the world with remote access trojans (RAT) distributed through fake Booking.com websites, experts have warned.
Researchers from HP Wolf Security found cybercriminals have been making websites that, on first glance, look just like booking.com – they carry the same branding, the same color scheme, and same formatting. However, the content of the website is blurred, and over it, a deceptive cookie banner is displayed.
If victims press “Accept cookies”, they’ll trigger a download of a malicious JavaScript file. This, in turn, installs XWorm, a powerful RAT that grants the attackers full control over the compromised device, including access to files, webcams, and microphone. They can also use the access to disable security tools, deploy additional malware, and exfiltrate passwords and other data.
Peak booking period
HP Wolf Security says it first spotted the campaign in Q1 2025, which is “peak summer holiday booking period”, and a time when “click fatigue” sets in, as prospective holidaymakers are reckless and don’t pay attention to the sites they’re visiting, ending in disaster.
“Since the introduction of privacy regulations such as GDPR, cookie prompts have become so normalized that most users have fallen into a habit of ‘click-first, think later,’” commented Patrick Schläpfer, Principal Threat Researcher in the HP Security Lab.
“By mimicking the look and feel of a booking site at a time when holiday-goers are rushing to make travel plans, attackers don’t need advanced techniques – just a well-timed prompt and the user’s instinct to click.”
There are a few things users can do to stay safe, and the first one is – to slow down when browsing.
Users should also make sure not to click on links in emails or social media messages, especially for well-established sites such as Booking. Instead, type in the address in the browser’s navigation bar manually.
Leave a comment