Hotel booking confirmation emails aim to infect your computer. Watch out!

Filed Under: Malware, Spam

Hotel reception desk. Image courtesy of ShutterstockBe on your guard against emails that claim to be about a hotel booking that you never made - you could be putting your computer at risk of infection by malware.

Emails have been spammed out claiming to be a confirmation from the website about a hotel reservation.

Chances are that if you received an email like the following you would be at the very least curious, and might be tempted to click on the attached file.

Hotel booking malware

A typical email reads:

Subject: [Fwd: Hotel booking confirmation 2930566265]

Attached file:

Message body:

Booking confirmation 8356693431

Date: Tuesday , 29 May '2012


We have received a reservation for your hotel.

Please refer to attached file now to acknowledge the reservation and see the reservation details.

Arrival: Tuesday, 05 June 2012

Number of rooms: 1

If you have any questions regarding this reservation, please feel free to contact us. Telephone: English support 1 888 850 4649, Spanish support 1 866 938 1298; Fax 1 866 814 1719; Email:

Yours sincerely,

Of course, opening the attachment would be a big mistake, as the emails don't really come from

The attached .ZIP file contains a Trojan horse designed to infect your computer. Sophos products detect the malware as Mal/BredoZp-B and Troj/Inject-VI.

Long time readers of Naked Security will be only too familiar with malware attacks associated with hotels. For instance, in the past we have seen attempts to infect computers via emails disguised as hotel credit card transactions.

The advice remains the same.

You should always be suspicious of email attachments that are sent to you out of the blue. Make sure that your anti-virus product is updated, that you have the latest security patches, and tell your friends to think twice before opening unknown attachments.

Woman at hotel reception desk image courtesy of Shutterstock.

, , ,

You might like

27 Responses to Hotel booking confirmation emails aim to infect your computer. Watch out!

  1. Mary Ann · 1220 days ago

    Oh great, just when my family is booking rooms for a wedding. Hate new twists on old themes. Going to share this with everyone immediately!

  2. Carol · 1220 days ago

    Just found this email in my junk mail.

  3. Mark · 1220 days ago

    I don't think a legitimate hotel, bank, etc whatever is ever going to send you a zip archive :P
    I'm a little surprised that people seem to be falling for this.

  4. vigornian · 1220 days ago

    A useful check is that booking references are only 9 digits - the ones in these emails are 10.

  5. Nigel · 1219 days ago

    I really have to wonder what kind of concept of communication exists in the minds of people who would open a ZIP file they weren't expecting to receive, and especially from someone they don't know. Is that something THEY would do...send an unsolicited zip file to a complete stranger? Do they have "friends" who randomly send them unsolicited zip file attachments about hotel reservations they didn't make? And even after they read the email message and realize that they made no such reservation, they STILL go ahead and open the attachment anyway?

    What must it be like to communicate with such people? Can they even form a coherent thought? Would it be possible to interact constructively with someone who treats communication as such an essentially random process? What do they use for sense?

    I guess what I'm really asking is, how can a scam such as the one described above possibly work with anyone who isn't in desperate need of the services of a mental health professional? And if a great number of people routinely fall prey to such scams, what does that say about the intelligence of our fellow humanoids? Are they even educable?

    • John · 1219 days ago

      Couldn't have said it better. Its amazing such people are allowed to use a computer.

      • Andy · 788 days ago

        You don't have to open the zip file. As soon as the email is highlited the zip file opens automatically. Have more faith in people! It will do wonders for your outlook on life!

    • Tony Gore · 1219 days ago

      Not everyone is as on the ball. Suppose you are a secretary who deals with some of your bosses emails. Therefore you might not be sure if he instigated it. Also there are a surprising number of small companies which use a single email between several people (I know because I had to write code to dedupe these for mailing lists for a customer of mine, and nearly 50% of the emails in the database are shared). In this case, someone else might open it to see what it is.

      And if you have the default installation of Windows, you would not know that it is a ZIP because the default is to hide known file extensions! This is similar to the tax refund scams where double extensions are used. Sophos' Puremessage actually has a facility to detect this, which it does by parsing the ".". You would be surprised how many people send out attachments which trigger this warning simply through the file names.

      Most people following this thread are more knowledgeable and cautious than most. However, I know that no matter how smart I am, one day when I am in a hurry or tired, I will get caught out.

      • Robert W. · 1219 days ago

        Another reason why the default settings in Windows and Internet Explorer
        are VERY unsecure, and need to be mazimized on every computer in the

  6. Tony Gore · 1219 days ago

    I actually got this scam email less than an hour after I had made a hotel booking and was waiting for a confirmation.

    I didn't get caught out because I have now adopted the approach of assuming that all emails are scams, and look for evidence that they are not a scam before dealing with them.

    It is a sad indictment,

  7. Stephanie · 1178 days ago

    Hi- found you lot through a search and wondered if you'd mind answering a query.My husband is, unfortunately, the kind of numpty who did try to open this attachment. Apparently it went to straight to documents- he double clicked on the document, and got the egg timer symbol for about 5 seconds, he then twigged something might be up and deleted the file. I am not quite as much of a numpty as my husband, but am still a little unsure of the consequences of this. I ran a virus scan when I got in and the it came up clear and the computer seems fine, but I am wondering if there might be any hidden consequences that I am unaware of. Thanks for your help- Steph

  8. raulbati · 1152 days ago

    The very same MalSpams are being received by dozens at several organizations here in Buenos Aires (Argentina) since Jul 31, and a new wave today Aug 7.

    The MalSpam IP's originating these are hardly the same for at most 3 mails, usually only one from a different IP. Almost are dinamic IP's. Seems to came from botnet infected machines around the world.

    Raul Batista

  9. ssam · 1146 days ago

    I to got this email shortly after making an actual booking at it seems to me that whoever is sending these bookings has some miraculous ability to find the email addresses of customers. this is rather worrying.

  10. clare · 1125 days ago

    Does this affect Apple Macs? My husband assumed I had booked a hotel prior to our holiday and opened the file. I now have an inbox showing 1 unopened e-mail but no e-mail in there. Can anyone help me please.

    • Graham Cluley · 1124 days ago

      All the versions I have seen have targeted Windows rather than Mac computers.

  11. Hubert Josef Winters · 1110 days ago

    received one, thanks to sophos did not open it.

  12. Raimund Heinrich · 1110 days ago

    Thank You Sophos, for watching my back. "Shared".

  13. Suzanne R. Allison · 1110 days ago

    I got one too yesterday, and didn't open it ....Shared!

  14. Debbie Mullins Farrar · 1110 days ago

    Received 2 and didn't open.

  15. Jennifer Harris · 1110 days ago

    Just curious, why would someone open an attachment about a hotel booking when they know they never booked a hotel? Simple rule: if it seems suspicious and has an attachment or a website link included, delete it.

  16. Steve Kelly · 1110 days ago

    i thought that, i got one about my car insurance when i have never even driven a car so i binned it, if it's refering to something that s irelevent to you then it's a scam

  17. John Arendt · 1110 days ago

    If the e-mail addresses me by name, I'll take it a lot more seriously than if it has a generic salutation. Also, I'll pay careful attention to which e-mail account was used. I run multiple e-mail accounts, but I'm very particular about which I'll use for financial transactions.

    If the e-mail passes on both those counts, but if it's for a transaction I have not initiated, then I'll immediately check to see if the transaction went through on my credit card.

  18. Heather Barber · 1110 days ago

    As we had just used to book an apartment in Toronto, initially I wasn't sure about this; however the dates in the email didn't tie up, so knew it was dodgy. But we have booked several hotels etc for a 3 week trip, so couldn't just dump it

  19. LEigh · 999 days ago

    Hello! Is a legitimate website? -leigh

  20. karyn · 978 days ago

    I just received email from Do I delele it or forward to ftc? Was glad to find out this info about from your site Thanks

  21. Sheri · 975 days ago

    I just got an email from for a hotel in London called "Arriva Hotel" and was telling me that there was something wrong with my credit card and that I needed to update my cc info to keep my reservation. This statement came from the actual email..."If you do not update your credit card date, a penalty for reservation cancellation or prepayment of 136$, which is provided under the terms of booking will be imposed." There was a link for me to click on but I decided not to. There was no attachment for me to download. The email came from support services with an email address of "". I never booked anything with nor have I ever. The thing that strikes me as being odd is the fact a few months ago my credit card was flagged by my bank and a hold was put on it for suspicious activity from a hotel in Sedona, AZ which I did not do. Thankfully my cc company was on top of these kind of scams and took care of it right away. So I guess my question is should I pass this on to someone and to who? Is this kind of email something new that scammers are wanting you to click on the link to get more info on you? Thank you in advance for any helpful info you can give me. I found you by doing a search on and email scams.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley