In the attack described by Bleeping Computer, the attacker first establishes communication with a hotel and tricks them into installing info-stealing malware that operates silently on the hotel's computer. With access to messaging with legitimate customers, the cybercriminal can now send convincing messages to the final victims, the hotel customers.
The message requests additional credit card verification, leading the victim to a fake Booking.com payment page. Since the messaging appears to come genuinely from the hotel, the best way to detect this scam is to observe that the payment site is not running on the correct domain name.