Fake booking reservation confirmation emails from booking.com contain a trojan


MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subjects similar like “Reservation Confirmation [6294011], Tue, 31 Jul 2012 18:19:42 +0900”.

The email is send from the spoofed address “Booking.com <customer.service@my.booking.com>” and has the following body:

Date: Tue, 31 Jul 2012 18:19:42 +0900 —

Herewith you receive the electronic reservation for your hotel. Please refer to attached file for full details.

Arrival: Saturday, August 04, 2012

Departure: Monday, August 06, 2012
Number of rooms: 1
Sincerely,
Customer Service Team

Booking.com http://www.booking.com

Your Reference ID is: 8751747
The Booking.com reservation service is free of charge. We do not charge you any booking fees or administration fees, and in many cases rooms offer free cancellation.
-Booking.com guarantees the best hotel rates in both cities and regional destinations – ranging from small family hotels to luxury hotels.

The attached ZIP file has the name Booking_Confirmation_073120123972991.zip and contains the 37 kB large file Booking_Confirmation_07312012.exe.

The trojan is known as W32/Falab.J2.gen!Eldorado, Trojan-Spy.Agent, Downloader.Dromedan or TROJ_KRYPTIK.NC.

At the time of writing, only 9 of the 41 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: 78cca5db33888091d98854835d6ca80b77568d5f106a9d7739e7a3efa02df659.

35 Responses to Fake booking reservation confirmation emails from booking.com contain a trojan

  1. MrFun says:

    I got one like this too, it looked suspicious so I didn’t open it.

    • Rob Mannion says:

      Today (Monday August 6th 2012) I have received over 24 E-mail from this criminal. Fortunately, I use Apple Mac computers but I still wouldn’t risk opening the attached zip file. Does anyone know where this criminal is located?

      • Rob Mannion says:

        I’m still receiving around 12 criminal spoof E-mails from the spammer. I read recently (I’ve got the information somewhere, but I cannot retrieve the information) that the criminal involved lives in Praha (Prague) in the Czech Republic. Even his name is known. I now have the E-mail address of the Czech Republic’s Internet Fraud Department. If anyone can give details of the criminal – I can pass them on. He’s very, very prolific indeed!

    • virus!!!!!dont open!!!!*******

  2. PopMart says:

    Hi, I got this email but the zip file appears empty, will there be any repercussion?

  3. John Gaunt says:

    I just received a similar e-mail. The attachment is a 33K ZIP named “Booking_Confirmation_073120123425346.zip”

    ————————-
    Subject: Reservation Confirmation [7915944], Tue, 31 Jul 2012 15:33:42 +0200
    From: “Booking.com”
    Date: Tue, July 31, 2012 6:33 am

    Hotel Confirmation: 5333780
    Date: Tue, 31 Jul 2012 15:33:42 +0200


    Herewith you receive the electronic reservation for your
    hotel. Please refer to attached file for full details.

    Arrival: Saturday, August 04, 2012
    Departure: Monday, August 06, 2012
    Number of rooms: 2

    Sincerely,Customer Service TeamBooking.com

    http://www.booking.com Your Reference ID is: 3319785
    The Booking.com reservation service is free of charge. We
    do not charge you any booking fees or administration
    fees, and in many cases rooms offer free
    cancellation.-Booking.com guarantees the best hotel rates
    in both cities and regional destinations – ranging from
    small family hotels to luxury hotels.

  4. M says:

    Thank you for posting your blog. It helps us all out in knowing how to deal with the situation. The dates and the fact that so many of these sites work with each other makes it look possible even though we are not listed with booking.com. Thanks for the warning.

  5. Eric says:

    I’m afraid I’ve opened the zip file and now have a pop-up screen asking for an ‘OK’:
    file name: 2665hqsuqv.exe.
    How can I remove this?

  6. Dagfinn says:

    Also got one today, 4th to 6th August, and 2 rooms!

  7. Tony says:

    received one today, i am away for a couple of days next week so would have been timely, but i didnt open it. Moral is: regard all messages with attachments as spam

  8. Phil says:

    I’ve received several of these recently, all sent to an e-mail address that’s obviously been harvested from very old newsgroup posts. I’ve received a new one today which is not flagged as malware by MSE, Malwarebytes, or any of the engines on Jotti’s on-line scan. And this morning also I’ve received an identical attachment in an exactly similar e-mail purporting to come from Fedex.

  9. Big Al says:

    Microsoft Security Essentials let this one through… very fishy emails (I got 2!) that are now in the bin.

  10. T says:

    Hi All, Even I received many such fake emails from “my.booking.com”. Fortunately got blocked by our antivirus system automatically giving notification to me.

  11. Mona says:

    Got one today ! Trojan booked me a room at four season George V France (Five Star) ! Shall I go ?

    thanks for information , anyways!

  12. ady says:

    I’ve got six confirmation emails today! Just coincentially I am also booking hotels through other websites so it’s really confusing! @_@

  13. Aloysius says:

    Just in case u have opened the attachment, to resolve the issue – restart the computer in safe mode, and restore your PC (Using System Restore) to any earlier date.

  14. inchanto says:

    Oh Oh….

    Hotel Confirmation:
    [Four Seasons Hotel] 0113556
    Date: Tue, 7 Aug 2012 13:05:51 +0200 —

    ——————————————————————————–

    Herewith you receive the electronic reservation for your hotel. Please refer to attached file for full details.

    ——————————————————————————–
    Arrival: Friday, August 10, 2012
    Departure: Monday, August 13, 2012
    Number of rooms: 1

    ——————————————————————————–

    Sincerely,
    Customer Service Team
    Booking.com http://www.booking.com

    Your Reference ID is: 3339316

    The Booking.com reservation service is free of charge. We do not charge you any booking fees or administration fees, and in many cases rooms offer free cancellation.
    -Booking.com guarantees the best hotel rates in both cities and regional destinations – ranging from small family hotels to luxury hotels.

  15. paul says:

    i have the same e-mail and i may be open the zip file .
    what the virus will do ? i off the pc today and hope someone can tell me ?

  16. Cavey says:

    it’s obviously still doing the rounds as I received it today. For 2 rooms September 7th-9th…

  17. Cosmict says:

    got one today Avast stopped it

  18. Ian says:

    Still around – got one today but AVG (free edition) got it straight away

  19. Sarah says:

    Got one today also, am I safe as long as I don’t open zip file? Thanks

  20. Kay says:

    I did too – at 1822hrs. AVG free edition stopped it which is what alerted me.

  21. Chris says:

    Yeppers it even made it here to my inbox in Australia, thought the wife had been spending lol, no a serious note, I Googles it as it looked suspicious as not even my name was on my booking ! DELETE and do not open ! Mine came with a zip file which i DID NOT OPEN🙂 . . .

  22. ange says:

    BOOKING CONFIRMATION

    Issued: 12/10/2012

    BEDDING AND INCLUSIONS SHOWN IN ATTACHED FILE

    I received this email today!

    ================================================================================
    Confirmation number: 38588473
    Booking source: booking.com
    (please refer to this brand when
    communicating with the guest) ================================================================================
    BOOKING SUMMARY
    ================================================================================
    Check in: 17-Oct-2012
    Check out: 18-Oct-2012
    Total number of rooms: 1 per night
    Total number of room nights: 1 (1 room for 1 night each)
    Total booking amount: $224.00
    Room: 1 Night 1-2 people
    Number of guests: Adults: 1 Children: 0
    Bedding configuration: One or 2 People
    =====Comments=====
    Guest comments: non-smoking
    Any comments from the guest are by request only and have not been guaranteed.
    ================================================================================
    ================================================================================
    ================================================================================
    ROOM DETAILS
    ================================================================================
    Room: 1 Night 1-2 people
    Room description: Motel room including Tea and coffee
    facilities,free cohtinental b fast for 2 bar
    fridge, air conditioned, outdoor sitting areas,
    BBQ, swimming pool, and tennis court. Sports
    centre.
    Cancellation policy: Cancellations or changes to bookings for this
    room will not be permitted for any reason. Once
    confirmed a booking cannot be refunded or altered
    in any way.
    ================================================================================
    All amounts are shown in US Dollars and are inclusive of tax ================================================================================
    CHECK-IN REQUIREMENT: We have informed the guest that they must produce photo ID at check-in that matches the guest name on this booking, and that you will take and retain a copy of this ID to accompany the guest’s signed registration The guest is also aware that you may require them to provide a security deposit at check-in to guarantee payment of any incidental charges.

    The Team Booking.com
    ================================================================================

    • Jackie says:

      I received one exactly the same on the same date. I opened it on my phone, but haven’t noticed any virus or unusual activity afterwards, thankfully. I’m glad I’m not the only one being targeted!

      • Jackie says:

        Actually the amount is different and there wasn’t any attachment. So far no problems though.

      • mxlab says:

        It is always possible that the newer campaigns change and that they don’t include an attachment but use a malicious URL in the message. So far, I haven’t seen a new variant but be carefull. Contact me if you want to forward a sample for investigation.

  23. niknah says:

    This came with an attachment today… A legit message should usually have your full name on it.

    BOOKING CONFIRMATION

    Issued: 12/10/2012

    BEDDING AND INCLUSIONS SHOWN IN ATTACHED FILE

    ================================================================================
    Confirmation number: 41033623
    Booking source: booking.com
    (please refer to this brand when
    communicating with the guest)
    ================================================================================
    BOOKING SUMMARY
    ================================================================================
    Check in: 17-Oct-2012
    Check out: 18-Oct-2012
    Total number of rooms: 1 per night
    Total number of room nights: 1 (1 room for 1 night each)
    Total booking amount: $976.00
    Room: 1 Night 1-2 people
    Number of guests: Adults: 1 Children: 0
    Bedding configuration: One or 2 People
    =====Comments=====
    Guest comments: non-smoking
    Any comments from the guest are by request only and have not been guaranteed.
    ================================================================================
    ================================================================================
    ================================================================================
    ROOM DETAILS
    ================================================================================
    Room: 1 Night 1-2 people
    Room description: Motel room including Tea and coffee
    facilities,free cohtinental b fast for 2 bar
    fridge, air conditioned, outdoor sitting areas,
    BBQ, swimming pool, and tennis court. Sports
    centre.
    Cancellation policy: Cancellations or changes to bookings for this
    room will not be permitted for any reason. Once
    confirmed a booking cannot be refunded or altered
    in any way.
    ================================================================================
    All amounts are shown in US Dollars and are inclusive of tax
    ================================================================================
    CHECK-IN REQUIREMENT: We have informed the guest that they must produce photo ID
    at check-in that matches the guest name on this booking, and that you will take
    and retain a copy of this ID to accompany the guest’s signed registration The
    guest is also aware that you may require them to provide a security deposit at
    check-in to guarantee payment of any incidental charges.

    The Team Booking.com
    ================================================================================

  24. Pingback: Appointment of medical services | ABCINFOPAGES.COM

  25. Antonio picariello says:

    come mai mi è stata addebitato l’importo da pagare prima ancora di arrivare in albergo?La prassi non è quella del pagamento all’arrivo? grazie

  26. large porn tube massage says:

    Hello would you mind stating which blog platform you’re using? I’m going to start my own blog soon but I’m having a tough time making a decision between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your design and style seems different then most blogs and I’m looking for something completely unique.
    P.S Apologies for being off-topic but I had to ask!

  27. Pingback: it is made of woodT

  28. miche says:

    I received a similar email… but it said that my payment for the room did not go through!
    Does this mean that they areadly have my banking info?? Or is it just a variation of the scam to get me to supply the banking info?

Follow

Get every new post delivered to your Inbox.

Join 2,183 other followers

%d bloggers like this: