14 DAY TRIAL // Users in the Netherlands are advised to be on the lookout for fake Booking.com emails that inform them of an invoice. The bogus notifications are being sent out by cybercriminals in an effort to distribute malware.
According to researchers from MX Lab, the emails carry the subject line “factuur bevestiging” (invoice confirmation). They inform recipients that a payment has been made from their account.
“Wij schrijven deze brief aan uw aandacht vestigen op de onderstaande referentie achterstallige items met ons,” the emails read.
“Vind hechten uw factuur voor de eerste betaling. We waarderen uw inspanningen om ervoor te zorgen dat de betaling is ontvangen in een geschikte kwestie. Houdt u er rekening mee dat er een Ђ100 heraansluiting kosten in rekening worden gebracht als uw account is opgeschort vanwege betalingsachterstanden.”
The messages have nothing to do with Booking.com and the files that are attached to them are not invoices. There are two files attached: e-Ticket confirmation.pif and Invoice76453773.doc.
e-Ticket confirmation.pif hides a Trojan that’s possibly a piece of ransomware. The document is also a piece of malware. What’s interesting about the document is that it uses macros to unleash the malicious component.
While this particular sample targets Dutch users, it’s not uncommon for cybercriminals to use fake Booking.com emails to trick people into installing malware on their computers. This means that internauts in other parts of the world might be targeted as well.
A lot of people are probably planning their summer holidays these days. Such a spam run can be successful because many people have probably visited Booking.com in the past period and they’ve probably even made some reservations.
In order to avoid falling victim to such scams, never click on attachments or links contained in suspicious-looking emails. Fake notifications are usually easy to identify because they don’t greet recipients by name, and they often contain typos.
Emails with attachments are in most cases part of a cybercriminal operation. As far as links are concerned, users can hover the mouse cursor over them to see where they point to. If it’s not the respective company’s official website, it most likely points to a malware or spam website.
Internauts who have already opened such emails are advised to immediately scan their computers with an updated antivirus solution to make sure it’s not infected with malware. If malware is found, particularly Trojans or backdoors, it’s recommended that all passwords are changed.