Cybercriminals Leverage Hijacked Booking.com accounts for Phishing
I recently heard about a wave of scams exploiting Booking.com users. So I went and researched it for myself. I came across a post on the r/travel subreddit about such an incident. 
The user received a seemingly authentic message with a URL via Booking.com's app. They provided their credit card information and said that “within mere minutes of this, an attempt was made to use [their] credit card for an online purchase.”
As others pointed out on Reddit, the most likely scenario here is that the hotel's account with Booking.com has been compromised, or the hotel's own email account was compromised.
I then looked up the phishing site sent via the Booking.com in-app messaging system in VirusTotal to find the IP address and checked that in URLscan. As I imagined, the offending IP address had a bunch of other Booking.com phishing domains that resolved to it. This revealed a widespread campaign. [2, 3]
Further research on this topic led me to a recent Secureworks blog about threat actors taking it to the next level by stealing Booking.com hotel admin credentials using a well-known Infostealer malware called Vidar. My colleague Tas also recently wrote a blog for Curated Intel on this topic as well. Other open-source blogs have also covered these campaigns in-depth. [4, 5, 6]
Unfortunately, this seems like a highly successful online scam. It is leveraging an in-app communications channels and taking advantage of poor security practices by small businesses to exploit the business-to-customer (B2C) relationship. And unfortunately if Booking.com does not address this issue directly, customers may avoid them for safer experiences.
Indicators of Compromise (IOCs):