Vietnamese hotels and accommodation providers are facing a wave of email-based cyberattacks disguised as legitimate booking notifications from major travel platforms.
The cybersecurity corporation Bkav issued a warning today that numerous hotels and lodging facilities in Vietnam have been targeted by emails containing malware, disguised as messages from popular online booking platforms.
According to Bkav, a global cyberattack campaign called ClickFix is actively targeting hotels, home-stays, resorts, and other accommodation providers in Vietnam. Attackers impersonate well-known booking platforms such as Booking.com and Expedia, sending emails with subjects like “Booking Confirmation,” “Customer Complaint,” “Payment Update,” or “Reservation Cancellation.” These emails are crafted to resemble legitimate messages and include malicious links or Excel files disguised as invoices or booking details.
Because these fake emails closely mimic real ones, many users let their guard down. Clicking a link or opening an attachment immediately activates the malware. Once triggered, hackers can take control of the device, steal customer data, expose personal information, or install additional spyware to penetrate deeper into the system.
Bkav’s experts report that the ClickFix campaign uses PureRAT, a form of Remote Access Trojan (RAT) designed to monitor user activity, steal passwords, expand internal attack surfaces, and remain hidden for long periods. Even more concerning, evidence suggests that ClickFix operates under an “Attack-as-a-Service” model, enabling attackers to purchase ready-made tools without needing advanced technical skills.
Vietnam has tens of thousands of lodging facilities listed on well-known booking platforms such as Booking.com, Agoda, Traveloka, and Airbnb. These businesses are particularly vulnerable because receptionists and booking staff often lack formal cybersecurity training and can be easily tricked by fake booking emails that closely resemble genuine notifications.
In light of the ongoing attacks, staff and property owners are urged to exercise extreme caution by carefully checking sender addresses, avoiding unfamiliar attachments or links, and accessing booking platforms only through official apps or verified websites.
Bkav also recommends that organizations and individuals install email monitoring systems, antivirus software, and comprehensive anti-malware solutions. Built-in security tools that come with operating systems provide only basic protection and are insufficient against modern ransomware and advanced malware designed to remain hidden and deeply embedded in systems.
