“I Paid Twice” Scam Infects Booking.com Users with PureRAT via ClickFix

Cybersecurity firm Sekoia reports a widespread fraud where criminals compromise hotel systems (Booking.com, Expedia and others) with PureRAT malware, then use stolen reservation data to phish and defraud guests.

Sekoia, a cyber threat detection and response specialist, has released details on a widespread and ongoing cybercrime operation that first targets hotels and then directly goes after their guests.

Researchers began investigating after a partner reported a phishing campaign hitting hospitality customers. They named the report “I Paid Twice” after an email subject line from a victim tricked into paying for their reservation twice, once to the hotel and again to the criminal.

The company believes the scammers are highly organised. To begin, they acquire unlisted contact details of hotel managers, usually by searching websites or buying email lists on forums like the Russian language one called LolzTeam. These administrator databases can cost as little as “tens of dollars” for ...