The company is warning customers to be on the lookout for such notifications

Aug 23, 2012 07:46 GMT  ·  By

If you’re planning to go on vacation and you’ve booked your hotel via Booking.com, we advise you to be on the lookout for shady emails that purport to come from the company. The emails claim to represent hotel confirmations and they carry a nasty piece of malware.

The messages – entitled Hotel Reservation [123456] – appear to originate from [email protected] and they look like this:

Hotel Confirmation: (Eden Rock) 8785896

Date: Wed, 22 Aug 2012 20:57:25 +0100 — Herewith you receive the electronic reservation for your hotel. Please refer to attached file for full details.

Arrival: Friday, August 24, 2012 Departure: Sunday, August 26, 2012 Number of rooms: 1 Sincerely, Customer Service Team Booking.com http://www.booking.com Your Reference ID is: 3806087

The Booking.com reservation service is free of charge. We do not charge you any booking fees or administration fees, and in many cases rooms offer free cancellation. -Booking.com guarantees the best hotel rates in both cities and regional destinations – ranging from small family hotels to luxury hotels. MX Lab experts have analyzed these notifications and noticed that the Trojan they serve is a new version of Androm (identified by Kaspersky as Backdoor.Win32.Androm.gi). Currently, only 17 antivirus solutions detect the attached file as being a threat.

The attachment is a zip file which contains an executable named Hotel-Booking_Confirmation.exe.

Bookings.com is aware of this type of emails. The company is warning customers to be on the lookout for the clues which give away a scam’s true identity.

For instance, in fake emails the confirmation number from the subject line doesn’t match the one from the body of the text. Furthermore, legitimate notifications never contain attachments.

According to the advisory published by the company, most of the malicious emails that rely on their reputation have been found to contain the ZeuS Trojan, but obviously, the pieces of malware that are spread via such messages can vary.