Sophos Cloud Optix
Be on your guard against emails that claim to be about a hotel booking that you never made – you could be putting your computer at risk of infection by malware.
Emails have been spammed out claiming to be a confirmation from the booking.com website about a hotel reservation.
Chances are that if you received an email like the following you would be at the very least curious, and might be tempted to click on the attached file.
A typical email reads:
Subject: [Fwd: Hotel booking confirmation 2930566265]
Attached file: Hotel_Reservation_Booking_Com_52524658ID.zip
Message body:
Booking confirmation 8356693431
Date: Tuesday , 29 May '2012
Dear,
We have received a reservation for your hotel.
Please refer to attached file now to acknowledge the reservation and see the reservation details.
Arrival: Tuesday, 05 June 2012
Number of rooms: 1
If you have any questions regarding this reservation, please feel free to contact us. Telephone: English support 1 888 850 4649, Spanish support 1 866 938 1298; Fax 1 866 814 1719; Email: customer.service@booking.com
Yours sincerely, Booking.com
Of course, opening the attachment would be a big mistake, as the emails don’t really come from Booking.com.
The attached .ZIP file contains a Trojan horse designed to infect your computer. Sophos products detect the malware as Mal/BredoZp-B and Troj/Inject-VI.
Long time readers of Naked Security will be only too familiar with malware attacks associated with hotels. For instance, in the past we have seen attempts to infect computers via emails disguised as hotel credit card transactions.
The advice remains the same.
You should always be suspicious of email attachments that are sent to you out of the blue. Make sure that your anti-virus product is updated, that you have the latest security patches, and tell your friends to think twice before opening unknown attachments.
Woman at hotel reception desk image courtesy of Shutterstock.
Oh great, just when my family is booking rooms for a wedding. Hate new twists on old themes. Going to share this with everyone immediately!
Just found this email in my junk mail.
I don't think a legitimate hotel, bank, etc whatever is ever going to send you a zip archive 😛
I'm a little surprised that people seem to be falling for this.
A useful check is that booking.com booking references are only 9 digits – the ones in these emails are 10.
I really have to wonder what kind of concept of communication exists in the minds of people who would open a ZIP file they weren't expecting to receive, and especially from someone they don't know. Is that something THEY would do…send an unsolicited zip file to a complete stranger? Do they have "friends" who randomly send them unsolicited zip file attachments about hotel reservations they didn't make? And even after they read the email message and realize that they made no such reservation, they STILL go ahead and open the attachment anyway?
What must it be like to communicate with such people? Can they even form a coherent thought? Would it be possible to interact constructively with someone who treats communication as such an essentially random process? What do they use for sense?
I guess what I'm really asking is, how can a scam such as the one described above possibly work with anyone who isn't in desperate need of the services of a mental health professional? And if a great number of people routinely fall prey to such scams, what does that say about the intelligence of our fellow humanoids? Are they even educable?
Couldn't have said it better. Its amazing such people are allowed to use a computer.
You don't have to open the zip file. As soon as the email is highlited the zip file opens automatically. Have more faith in people! It will do wonders for your outlook on life!
Not everyone is as on the ball. Suppose you are a secretary who deals with some of your bosses emails. Therefore you might not be sure if he instigated it. Also there are a surprising number of small companies which use a single email between several people (I know because I had to write code to dedupe these for mailing lists for a customer of mine, and nearly 50% of the emails in the database are shared). In this case, someone else might open it to see what it is.
And if you have the default installation of Windows, you would not know that it is a ZIP because the default is to hide known file extensions! This is similar to the tax refund scams where double extensions are used. Sophos' Puremessage actually has a facility to detect this, which it does by parsing the ".". You would be surprised how many people send out attachments which trigger this warning simply through the file names.
Most people following this thread are more knowledgeable and cautious than most. However, I know that no matter how smart I am, one day when I am in a hurry or tired, I will get caught out.
Another reason why the default settings in Windows and Internet Explorer
are VERY unsecure, and need to be mazimized on every computer in the
world!
I actually got this scam email less than an hour after I had made a hotel booking and was waiting for a confirmation.
I didn't get caught out because I have now adopted the approach of assuming that all emails are scams, and look for evidence that they are not a scam before dealing with them.
It is a sad indictment,
Hi- found you lot through a search and wondered if you'd mind answering a query.My husband is, unfortunately, the kind of numpty who did try to open this attachment. Apparently it went to straight to documents- he double clicked on the document, and got the egg timer symbol for about 5 seconds, he then twigged something might be up and deleted the file. I am not quite as much of a numpty as my husband, but am still a little unsure of the consequences of this. I ran a virus scan when I got in and the it came up clear and the computer seems fine, but I am wondering if there might be any hidden consequences that I am unaware of. Thanks for your help- Steph
The very same MalSpams are being received by dozens at several organizations here in Buenos Aires (Argentina) since Jul 31, and a new wave today Aug 7.
The MalSpam IP’s originating these are hardly the same for at most 3 mails, usually only one from a different IP. Almost are dinamic IP’s. Seems to came from botnet infected machines around the world.
Raul Batista
www.antiphishing.com.ar www.segu-info.com.ar
I to got this email shortly after making an actual booking at booking.com. it seems to me that whoever is sending these bookings has some miraculous ability to find the email addresses of booking.com customers. this is rather worrying.
Does this affect Apple Macs? My husband assumed I had booked a hotel prior to our holiday and opened the file. I now have an inbox showing 1 unopened e-mail but no e-mail in there. Can anyone help me please.
All the versions I have seen have targeted Windows rather than Mac computers.
received one, thanks to sophos did not open it.
Thank You Sophos, for watching my back. “Shared”.
I got one too yesterday, and didn’t open it ….Shared!
Received 2 and didn’t open.
Just curious, why would someone open an attachment about a hotel booking when they know they never booked a hotel? Simple rule: if it seems suspicious and has an attachment or a website link included, delete it.
i thought that, i got one about my car insurance when i have never even driven a car so i binned it, if it’s refering to something that s irelevent to you then it’s a scam
If the e-mail addresses me by name, I’ll take it a lot more seriously than if it has a generic salutation. Also, I’ll pay careful attention to which e-mail account was used. I run multiple e-mail accounts, but I’m very particular about which I’ll use for financial transactions.
If the e-mail passes on both those counts, but if it’s for a transaction I have not initiated, then I’ll immediately check to see if the transaction went through on my credit card.
As we had just used booking.com to book an apartment in Toronto, initially I wasn’t sure about this; however the dates in the email didn’t tie up, so knew it was dodgy. But we have booked several hotels etc for a 3 week trip, so couldn’t just dump it
Hello! Is booking.com a legitimate website? -leigh
I just received email from booking.com Do I delele it or forward to ftc? Was glad to find out this info about from your site Thanks
The quickest thing to do is to simply delete it.
However, if you wish to report it to the authorities follow the advice at http://nakedsecurity.sophos.com/2012/11/07/how-to…
I just got an email from booking.com for a hotel in London called "Arriva Hotel" and was telling me that there was something wrong with my credit card and that I needed to update my cc info to keep my reservation. This statement came from the actual email…"If you do not update your credit card date, a penalty for reservation cancellation or prepayment of 136$, which is provided under the terms of booking will be imposed." There was a link for me to click on but I decided not to. There was no attachment for me to download. The email came from support services with an email address of "manager.234@elpaso.us". I never booked anything with booking.com nor have I ever. The thing that strikes me as being odd is the fact a few months ago my credit card was flagged by my bank and a hold was put on it for suspicious activity from a hotel in Sedona, AZ which I did not do. Thankfully my cc company was on top of these kind of scams and took care of it right away. So I guess my question is should I pass this on to someone and to who? Is this kind of email something new that scammers are wanting you to click on the link to get more info on you? Thank you in advance for any helpful info you can give me. I found you by doing a search on booking.com and email scams.