If you’re planning to go on vacation and you’ve booked your hotel via Booking.com, we advise you to be on the lookout for shady emails that purport to come from the company. The emails claim to represent hotel confirmations and they carry a nasty piece of malware.
The messages – entitled Hotel Reservation 
– appear to originate from email@example.com
and they look like this:
(Eden Rock) 8785896
Date: Wed, 22 Aug 2012 20:57:25 +0100 —
Herewith you receive the electronic reservation for your hotel. Please refer to attached file for full details.
Arrival: Friday, August 24, 2012
Departure: Sunday, August 26, 2012
Number of rooms: 1
Customer Service Team
Your Reference ID is: 3806087
The Booking.com reservation service is free of charge. We do not charge you any booking fees or administration fees, and in many cases rooms offer free cancellation.
-Booking.com guarantees the best hotel rates in both cities and regional destinations – ranging from small family hotels to luxury hotels.
MX Lab experts have analyzed
these notifications and noticed that the Trojan they serve is a new version of Androm (identified by Kaspersky as Backdoor.Win32.Androm.gi
). Currently, only 17 antivirus solutions detect
the attached file as being a threat.
The attachment is a zip file which contains an executable named Hotel-Booking_Confirmation.exe.
Bookings.com is aware of this type of emails. The company is warning customers to be on the lookout for the clues which give away a scam’s true identity.
For instance, in fake emails the confirmation number from the subject line doesn’t match the one from the body of the text. Furthermore, legitimate notifications never contain attachments.
According to the advisory published by the company, most of the malicious emails that rely on their reputation have been found to contain the ZeuS Trojan, but obviously, the pieces of malware that are spread via such messages can vary.