Malware email displayed on tablet screen
Home Malware Hotel Booking Confirmation Malware Emails

Hotel Booking Confirmation Malware Emails

by Brett M. Christensen


Notification emails purporting to be from claim to be hotel room booking confirmations and urge recipients to open an attached file to view reservation details. 

Brief Analysis

The emails are not from and they are not genuine hotel room reservation notifications. The attached file contains malware that can infect the recipient’s computer


Hotel reservation Malware Email


booking Hotel Confirmation:
Date Issue: 29/12/2014
Information is required to confirm your hotel reservationGravetye Manor HotelArrival: 06.01.2015

Departure: 11.01.2015

Number of rooms: 1 (non-smoking)

Please do not hesitate to contact us if you have any questions. Customer Service Team

Your Reference ID is: 03390ZZ5 – anytime, anywhere!


Subject: Hotel booking confirmation

Booking confirmation 7356993432

Date: Monday , 23 July 2012

We have received the reservation for your hotel.

Please refer to attached file now to acknowledge the reservation and see the reservation details.

Arrival: 29 July 2012

Number of rooms: 2

If you have any questions regarding this reservation, please feel free to contact us. Telephone: English support [removed], Spanish support [removed]; Fax 1 866 814 1719; Email: [removed]

Yours sincerely,


Subject: Reservation Confirmation (4XQVC)

Hotel Confirmation: 0670206

Date: Tue, 24 Jul 2012 10:08:02 +0900
Here with you receive the electronic reservation for your hotel.

Arrival: Saturday, July 28, 2012
Departure: Sunday, August 05, 2012 Number of rooms: 1
Sincerely, Customer Service Team

Your Reference ID is: YPVFX

The reservation service is free of charge. We do not charge you any booking fees or administration fees, and in many cases rooms offer free cancellation.


Detailed Analysis

Messages purporting to be hotel room booking confirmation emails are currently being distributed to inboxes around the world. The messages, which claim to be from online booking website,, inform recipients that room reservations have been made for a specified date a few days hence. Recipients are invited to open an attached file to view full details of the supposed reservation. 
However, the emails do not contain information about a real hotel booking nor are they from Like many previous such attacks, the messages are designed to trick curious recipients into opening an attached file to find out more information about a supposed booking or purchase. In fact, the attachment contains a trojan. Once installed, this malware can collect passwords and other sensitive information from the infected computer and relay it back to a remote server for collection and use by online criminals.

Versions of the malware emails have been distributed since late May 2012 and look set to continue. If you receive one of these fake hotel booking messages, do not open any attachments or click on any links that it may contain.

This malware campaign is similar to an earlier trojan attack that used fake flight ticket confirmation emails that falsely claimed to be from several airline companies.

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,