Cybercriminals Are Using Booking.Com Refund Ploy As Bait

An internet security company, Forcepoint, warns that cybercriminals are adjusting their campaigns to distribute "Agent Tesla" malware to an increasing number of business and casual travelers using popular travel-related service providers.

Scammers are masquerading as inquiries from brands such as Cybercriminals are sending emails impersonating which asks the recipient to check an attached PDF for a card statement.

Once a user opens the link from the PDF, the URL downloads a hidden JavaScript program, invoking the built-in Windows program PowerShell and later deleting the script. The end goal of the attack is to deploy "Agent Tesla" malware on the targeted system. "On successful infiltration of the malware, it allows attackers to conduct malicious activities such as data theft and executing commands on compromised systems," Forcepoint said.

Cybercriminals use "Agent Tesla" malware, an advanced remote access trojan (RAT) that functions as a keylogger and information stealer. "Agent Tesla" is one of the most prominent RATs in circulation, affecting up to seven percent of organizations worldwide. The malware targets Microsoft Windows OS-based systems. Vilius Petkauskas, "Travelers targeted with refund malware" (Feb. 26, 2024)




If you travel for business (and personal travel) receiving a last-minute notice from a travel services company, such as,, or can be stressful, especially if the notice concerns cancellations, itinerary changes, or in this case, refunds.

Cybercriminals are counting on human nature in general, and business travelers in particular, to make decisions in a short amount of time while traveling without reflecting on the repercussions of those actions. Business travelers rushing to make airline connections, arrive at meetings, or with limited internet access may quickly scroll through their emails and click on links or download files without thinking. This can cause malware infections.

The following tips may be useful, based on travel tips:

If you get an email from or any similar travel-related service site and are neither a subscriber nor actively using that service, the email is simply a phishing attempt and should be discarded without opening the attachment.

If you are a user but were not expecting an email, do not open the attachment. Instead, open a browser and go to the official site (do not simply click on any "helpful" link in the email) or use the mobile app to check for messages or information. As the attack currently targets Windows operating systems, using iOS or Android apps may provide an additional layer of protection, for now.

Wait until you have the opportunity to focus and fully process these messages, and are not pressed for time or are tired. Mistakes happen when users feel quick decisions are needed or they are fatigued. Remember, any legitimate refund will be there regardless of when you check your account using official channels.

Do not use the free public Wi-Fi offered in airports, coffee shops, or many cities to check any site, account, or service that requires you to type in your password. The better practice is to turn off your Wi-Fi completely and connect to those sensitive sites using your cell signal, which is less likely to be intercepted. Moreover, whether you are using a cell signal or any Wi-Fi that is not provided by your home router or that of your organization, use a VPN to better protect your device and your network.

Finally, upon returning from any trip, change the password of all apps or services you used, especially that of your email account.

Finally, your opinion is important to us. Please complete the opinion survey:

Download Video: MP4 WebM