Login

u/drulee

▲ 5 r/Bookingcom

Phishing follow-up to the Booking.com data leak. Fake "complete your reservation" page, pre-filled with your real booking data.

Screenshot of the phishing payment page (my real name, check-out date and total amount are blacked out). Note the hotel branding, the Booking.com-style \"complete your reservation\" flow, and the fact that all booking details are pre-filled from leaked data. The payment buttons (credit card / Apple Pay / Google Pay) sit on a third-party domain, not on Booking.com or the hotel's own site.

the phishing website is even translated into several languages, except for the middle part apparently

A few weeks ago I commented on the post about the suspicious "PIN updated for security reasons" email from noreply@booking.com (my comment). At the time the leak was the only signal. Today the follow-up phishing landed in my inbox, and it's worth describing because it is very convincing.

The setup

I have a real, confirmed Booking.com reservation for a Japanese hotel (Park Hotel Tokyo). Payment is due at the property, nothing is owed online yet. The phishing email arrived this morning, addressed to me by full name and referencing every correct detail: real booking number, real check-in and check-out dates, real hotel name and address, real phone number. The amount shown is close to but slightly lower than the real Booking.com total (a common trick: plausible at a glance, also looks like a small "discount" so you don't double-check).

The email pretends to be from the hotel but the actual sender domain has nothing to do with the hotel or Booking.com. It claims a "confirmation" is required within 24 hours and links to a "complete your reservation" page on a third-party domain.

The fake site

The link goes to a per-victim URL of the form:

https://reserve.<phishing-domain>/de/<token>/<your-real-booking-number>

The page is hotel-branded, pre-filled with all your real booking data, and demands either full credit-card re-entry or payment of the entire stay via Apple Pay / Google Pay. A real hotel or Booking.com transaction would never happen on a third-party domain like this. The page even uses Booking.com-style URL parameters (label, sid, aid, auth_key, source=mytrips) to mimic a real "My Trips" confirmation link.

Red flags, in case you get one

  • Sender domain has no relation to the hotel or Booking.com.
  • Payment link is not on booking.com or the hotel's own domain.
  • Amount shown is close to but not exactly your real total.
  • "Within 24 hours" urgency.
  • The email has no DKIM signature and no DMARC alignment (you can see this in the message source if your mail client shows it).
  • A real Booking.com booking is paid either at the property at check-in, or through secure.booking.com, never via a "confirmation link" on a random domain.

Bottom line

If you have an open Booking.com reservation and you get an email asking you to "confirm" it or "complete payment" via a link, assume it is phishing until proven otherwise. The attackers have full visibility into real booking data via the partner-extranet compromise that came out in April (https://www.theguardian.com/technology/2026/apr/13/booking-com-customers-hack-exposed-data), so "they knew my name and booking number" is no longer evidence of legitimacy.

Stay safe.

reddit.com
u/drulee — 3 days ago