Travelers are increasingly becoming victims of a new online scam that mimics the widely used travel service Booking.com. This fraudulent scheme, as detailed by Malwarebytes Labs, employs deceptive CAPTCHA forms to remotely access users’ devices, enabling cybercriminals to gather sensitive personal and financial details.

Understanding the Booking.com Scam

This scam initiates with links disseminated through social media platforms and gaming websites, often disguised as sponsored advertisements that redirect unsuspecting users to fake Booking.com sites. This legitimate online travel agency allows users to discover and reserve flights, hotels, rental vehicles, and various other travel services.

Upon clicking the malicious link, users are confronted with a counterfeit CAPTCHA window that includes a checkbox purportedly needed for data validation. This form instructs users to execute a Run command on their device using specific keystroke combinations. (Note: This action is never a valid request for CAPTCHA verification.)

In reality, the harmful CAPTCHA has copied a PowerShell command into your clipboard. If the user complies with the instructions provided, the command will download and execute a series of files that install a Remote Access Tool (RAT) identified as Backdoor.AsyncRAT, allowing cybercriminals to gain unauthorized access to and fully control the user’s system.

Identifying and Preventing the Booking.com RAT Infection

Examine the URL

As indicated by Malwarebytes Labs, the domains and subdomains utilized by these scammers shift continuously, with some appearing more authentic than others: for instance, comparing (booking.)guestsalerts[.]com to kvhandelregis[.]com. To safeguard against falling prey to such schemes, it’s prudent to refrain from clicking links in advertisements or social media and instead navigate directly to the intended website.

Visit the Official Site Directly

Utilizing broad Google searches for travel arrangements may heighten vulnerability to malvertising, allowing cybercriminals to create counterfeit versions of popular sites like Booking.com that appear prominently within sponsored results. It’s advisable to manually enter URLs in the address bar or book directly with airlines or hotels.

Be Cautious of CAPTCHA Forms from Unknown Origins

Exercise caution when following prompts involving commands from suspicious websites, CAPTCHA forms, or social media videos, which often mislead users into downloading malware.

To further mitigate risks, disabling JavaScript in your browser may eliminate clipboard access, though this could disrupt functionality on other websites you visit.