Thursday, August 02, 2012

Hotel Booking Scam

I got this email today. Fortunately, I know I did not book a hotel for August 4-6 and I'm reasonably sure that opening the file will not reveal any information I want, but rather would be an attempt to mischief.
Subject:  Reservation Confirmation [1342976], Thu, 2 Aug 2012 09:47:18 +0800
From:  "" <>
Date:  Wed, August 1, 2012 5:47 pm
Priority:  Normal
View Full Header |  View Printable Version  | Download this as a file  | View Message details | Report as Spam
Hotel Confirmation:   7395329
Date:   Thu, 2 Aug 2012 09:47:18 +0800
Herewith you receive the electronic reservation for your hotel. Please refer to attached file for full details.
Arrival: Saturday, August 04, 2012
Departure: Monday, August 06, 2012
Number of rooms: 1

Sincerely, Customer Service Team  http://www.XXXX
Your Reference ID is: 3225161
The reservation service is free of charge. We do not charge you any booking fees or administration fees, and in many cases rooms offer free guarantees the best hotel rates in both cities and regional destinations - ranging from small family hotels to luxury hotels.


What are some of the telltale signs of a scam?  This one is deceptively simple, but . . .

The email doesn't list a recipient, there's no  "To"
  • My name is not mentioned in the reservation
  • No hotel is mentioned in the reservation, though there is a legitimate website called My Booking, but there is an extra 'dot' in the email address listed
  • I have to open a file - a well known way to infect computers with whatever evil the spammer/hacker is sending

I'm sure there are other signs I'm missing*.  But  . . .

How many people will unthinkingly click on the attachment in attempt to clear up the confusion?
How many people have hotel reservations for August 4 who will open this?
If the world were a fair and equitable place, would there still be people who would need to disrupt other people's lives with stuff like this?

*There are lots of sites that offer advice on how to deal with email hoaxes and scams.  I even found one that let's you paste the email into window and they'll check if it's a known scam.  But you have to give them an email address.  I passed on that.

Here are a couple sites.  It's useful to check them now and then as a reminder, plus these things evolve and get more sophisticated.

Microsoft Office tips
Kansas State University - Email Threats
(Three years old, but still interesting)  Wired - Identify a Phishing Scam

[UPDATE: August 7:  MX Lab reported on July 31 that the linked zip file contained a trojan:
The attached ZIP file has the name and contains the 37 kB large file Booking_Confirmation_07312012.exe.
The trojan is known as W32/Falab.J2.gen!Eldorado, Trojan-Spy.Agent, Downloader.Dromedan or TROJ_KRYPTIK.NC.
At the time of writing, only 9 of the 41 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 78cca5db33888091d98854835d6ca80b77568d5f106a9d7739e7a3efa02df659.
Hmmm, I should have found that before I posted.]


  1. Coincidence - but I did have a booking around this time for 2 rooms so thought something had gone wrong...usually I can spot scams a mile off but this just created a little bit of uncertaintanty in my head. Thanks for blog post.

  2. I have received the exact same email included a zipped file. This will be blocked and deleted! Why don't people just get regular jobs?!?

  3. I got one last night, exactly the same. The attached file is a program (i.e. it ends .exe) so I immediately deleted it and also checked via control panel that there wasn't some new unwanted program listed now.

  4. I had TWO of these emails today. Fortunately I know better than to open any attachments or use any links. Even when I think there might be a chance that it's legit, I go to the site in question via another way. In all, or most cases, the email was a phishing scam or something similar. Thanks for the info and for helping me to validate my suspicions.

  5. Thanks for posting this. I just received one today, and although I know I don't have a booking any time soon, I do have one in the distant future. I will have great satisfaction in deleting the scam-mail!

    1. Debbie, glad it was of help. Thanks for letting me know.

  6. is a scam they rip you off big time do not use them!


Comments will be reviewed, not for content (except ads), but for style. Comments with personal insults, rambling tirades, and significant repetition will be deleted. Ads disguised as comments, unless closely related to the post and of value to readers (my call) will be deleted. Click here to learn to put links in your comment.