Skip to main content
CybersecuritySocial Engineering

I Paid Twice Phishing: Exclusive Scam Alert for Booking.com

I Paid Twice Phishing: Exclusive Scam Alert for Booking.com

“I thought I was paying the hotel — twice. It turned out I was paying the fraudsters.” That sentence, shared by an affected traveller in industry reporting, captures a growing dilemma: bookings that look legitimate are being turned into money funnels for organised phishers who exploit major travel platforms and hotel systems.

Security researchers have uncovered a large-scale “I Paid Twice” phishing campaign that leverages compromised accounts and injected scripts across Booking.com, Airbnb and Expedia ecosystems to defraud both customers and hoteliers. The attack chain combines stolen credentials, maliciously altered booking flows and fake payment landing pages so convincing many victims complete an additional, fraudulent payment after making an authentic reservation. Analysts describe the operation as automated, highly scalable and designed to blend into normal reservation traffic so it evades simple detection methods .

Background: how convenience became an attack vector

The hospitality sector’s architecture — many third-party booking engines, central reservation systems and payment widgets — concentrates guest records and payment opportunities in a handful of shared services. That concentration makes singular compromises disproportionately damaging. When a third-party provider is breached or credentials are abused, attackers can harvest large volumes of bookings and contact details to launch targeted follow‑ups, including bespoke phishing that asks guests to “re‑pay” or to update card details on a spoofed form hosted under what appears to be a trusted booking flow .

What investigators found and how the scam works

  • Compromise vectors: researchers point to weak or reused credentials, unpatched web‑facing software and misconfigured databases as likely enablers for account takeovers and supply‑chain intrusions that seed the campaign .
  • Delivery and deception: attackers inject malicious scripts into legitimate pages or create dynamic fake booking pages and landing forms that capture full card‑not‑present details (card number, CVV, billing address). Those scripts and pages are optimized to mimic the real payment experience, increasing conversion rates and making detection harder for ordinary users and basic scanners .
  • Scale and automation: the infrastructure behind the campaign can spin up numerous tailored lures in real time, using automated templates and obfuscation to keep successful variants operational while evading traditional signatures .

Why it matters: financial, regulatory and reputational fallout

For travellers, the immediate harm is clear: unauthorised charges, intercepted refunds, and the administrative and credit‑monitoring burden that follows. For hotels — particularly independent or small chains — the consequences include chargebacks, remediation costs, and loss of trust. A single vendor compromise can ripple across many properties, multiplying exposure and remediation complexity .

Regulators and insurers are now watching closely. Under privacy regimes such as the GDPR, organisations that fail to protect personal data or delay notification may face enforcement actions and fines. Insurers are increasingly demanding demonstrable cyber hygiene; failure to meet those standards can jeopardise coverage for breach losses .

Perspectives and responses

  • Technologists: security professionals warn that well‑crafted script injections and supply‑chain compromises require defenders to move beyond perimeter checks. Recommended controls include multifactor authentication, strict least‑privilege policies for third‑party integrations, tokenised payments, site integrity monitoring and routine scanning for unauthorized script changes .
  • Policymakers and regulators: the incident highlights the need to operationalize supply‑chain security expectations for reservation software vendors and to consider faster disclosure mechanisms for cross‑border incidents. Regulators must balance enforcement with support for smaller operators that lack the resources to meet high security baselines .
  • Users: travellers remain the last line of defence. Experts advise verifying confirmations through official hotel contact channels, avoiding clicking links in unsolicited messages, preferring credit cards with strong fraud protections, and enabling bank alerts. Simple steps — manually entering a hotel’s URL or calling the property to confirm payments — can thwart many fraud attempts .
  • Adversaries: attackers benefit from inexpensive automation and generative tools that make phishing more convincing and scalable. The result is an asymmetric battlefield: high‑quality lures on the attacker side versus time‑ and budget‑constrained defenses on the defender side .

Practical checklist for hotels and platforms

  • Immediately identify and isolate affected systems; revoke and rotate any exposed credentials.
  • Apply patches to web‑facing software, segment networks, and enforce multifactor authentication for administrative access.
  • Scan for unauthorized scripts and third‑party widget changes, and implement site‑integrity monitoring to detect tampering in real time.
  • Tokenize payments where possible and tighten payment verification flows to reduce the value of intercepted card data.
  • Prepare transparent, timely notifications to customers and coordinate with data protection authorities when personal data is involved .

Wider implications

This episode is not merely another cyber incident; it is a case study in how convenience and interconnected services create attractive targets for fraud. The hospitality industry’s business model — fast bookings, seamless payments and many third‑party integrations — amplifies risk when security is unevenly distributed among vendors. It also illustrates a broader trend where AI and automation lower the entry barriers for sophisticated social‑engineering campaigns while defenders play catch‑up with detection and incident response tools .

Conclusion

The “I Paid Twice” campaign is a warning: when booking feels effortless, the hidden costs can be steep. Hotels, platforms and travellers all have roles to play — stronger authentication, vigilant supply‑chain oversight and simple verification habits can blunt the attackers’ edge. But without coordinated standards and faster reporting, the cycle of compromise and phishing will continue. In a world that prizes convenience, who will insist on the inconvenient work of security before the next guest completes a payment?

Source: https://www.infosecurity-magazine.com/news/i-paid-twice-phishing-campaign/