Booking.com Users Targeted by ‘I Paid Twice’ Scam via ClickFix & PureRAT

Article Summary:
Sekoia, a cyber threat detection and response specialist, has uncovered a widespread cybercrime operation targeting hotels and their guests. The operation, named "I Paid Twice," involves scammers acquiring unlisted contact details of hotel managers and tricking guests into paying for reservations twice. The scheme has been active since April 2025 and continues as of early October 2025. Researchers believe the scammers are highly organized, acquiring administrator databases for as little as "tens of dollars."

Key Points:

1. The cybercrime operation, "I Paid Twice," targets hotels and their guests by first compromising hotel systems and then tricking guests into paying twice for reservations.
2. The scammers acquire unlisted contact details of hotel managers through searches on websites or buying email lists on forums like LolzTeam, which can cost as little as "tens of dollars."
3. The attack has been ongoing since April 2025 and is still active as of early October 2025.

Actionable Takeaways:

• Enhanced Cybersecurity Measures for Hotels: Hotels should implement robust cybersecurity measures to protect against phishing campaigns and unauthorized access to their systems. This includes regular security audits, employee training on phishing awareness, and the use of advanced threat detection tools like those provided by Sekoia.
• Data Security for Hotel Managers: Hotel managers should secure their contact details and be cautious when sharing personal or business information online. This includes using secure email services, avoiding public forums for sensitive data, and considering the use of encrypted communication channels.
• Awareness and Training for Travel Industry Professionals: Professionals in the travel industry, including hotel staff and guest services, should be trained on recognizing and responding to phishing attempts. This includes understanding common phishing tactics, knowing how to report suspicious emails, and being aware of the potential financial and reputational damage caused by such attacks.

Contextual Insights:
The rise of sophisticated cybercrime operations targeting the hospitality industry underscores the growing importance of cybersecurity in the travel sector. As digital transformation continues to reshape the travel industry, with increased reliance on online booking platforms and digital communication, the vulnerability to cyber threats also increases. The "I Paid Twice" operation highlights the need for continuous vigilance and investment in cybersecurity infrastructure. Moreover, the relatively low cost of acquiring unlisted contact details suggests that cybercriminals are becoming more accessible and less deterred by financial barriers, emphasizing the need for proactive security measures. This situation also highlights the importance of collaboration between cybersecurity firms like Sekoia and industry stakeholders to share threat intelligence and develop effective countermeasures. As the travel industry continues to evolve, staying ahead of cyber threats will be crucial for maintaining trust and ensuring the safety of both hotels and their guests.

Read the Complete Article.