Fake Booking.com emails trick hotel staff into installing malware
A new phishing campaign is targeting hotel staff by impersonating Booking.com and tricking victims into downloading AsyncRAT through a fake CAPTCHA page. This sophisticated scam is part of a broader trend in cybercrime where attackers weaponise trust and urgency to breach networks in the hospitality sector.
Fake emails and real danger
The attack begins with a phishing email that appears to come from Booking.com. The message is professional and asks hotel staff to confirm a reservation. Embedded in the email is a link that leads to what looks like a CAPTCHA verification page.
At first glance, the CAPTCHA seems legitimate. But unlike a real verification process, it doesn’t verify anything. Instead, it triggers the download of a malicious ZIP file.
Once opened, the file installs AsyncRAT, a remote access trojan designed to silently take control of the victim’s device.
What AsyncRAT can do
AsyncRAT provides attackers with full remote access to infected systems. It can record keystrokes, take screenshots, access webcams, steal credentials and siphon off sensitive data. The malware can also be used to deliver additional payloads or move laterally through a network.
In this case, hotel employees are specifically targeted because they frequently handle reservations, interact with customers and process payment data. Just one compromised system could give attackers access to a hotel’s internal systems and sensitive guest information.
Why fake CAPTCHAs work
The use of a fake CAPTCHA gives the attack an extra layer of credibility. CAPTCHAs are normally a symbol of safety, used to distinguish real users from bots. When attackers mimic this process, they exploit that trust to catch victims off guard.
This method works particularly well in high-pressure environments like hotels, where employees may not have time to carefully evaluate every email or link.
A targeted phishing attack disguised as Booking.com communication
This attack is a clear example of phishing, specifically spear phishing. Unlike broad phishing campaigns that target random individuals, spear phishing focuses on a specific group — in this case, hotel staff. The attackers use a convincing email that mimics Booking.com, combined with a fake CAPTCHA, to trick recipients into downloading malware. By exploiting trust and urgency, the scam manipulates victims into acting before they can spot the warning signs.
Learn more about phishing and how attackers trick users with convincing emails and dive into spear phishing and why targeted scams like this one are so effective.
Moxso’s take: Awareness is key
This phishing campaign highlights the growing sophistication of social engineering attacks. When technical deception is combined with psychological manipulation, traditional defences like email filters are often bypassed.
For organisations in the hospitality sector, security awareness training is essential. Employees need to be trained to question unexpected emails, verify links and avoid downloading unknown files.
Additional protective measures such as endpoint detection and network segmentation can also help limit the damage in the event of a breach.
Even when an email appears to come from a trusted source, a moment of caution can prevent a costly attack.
Sarah Krarup
Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.
View all posts by Sarah Krarup
