Dec. 1 – Travel planners beware. A novel social engineering campaign, in operation for the last 12 months, targets both hotel employees and Booking.com customers.
How it works
To gain initial access to Booking.com hotel credentials, cyber attackers deploy the Vidar infostealer. In the process, the scam targets hotel front-desk staff, who need to download malicious content in order for the scam to proceed.
Once sensitive hotel information is obtained, it’s then used to send phishing emails to Booking.com customers – many of whom have subsequently reported unauthorized financial transactions that have resulted in losses.
Broader campaign
Cyber security researchers note that this activity appears to be part of a broader campaign affecting Booking.com customers.
Researchers also believe that the threat actors have obtained credentials to the admin.booking.com property management portal, directly from hotel properties. This enables fraudsters to send legitimate looking emails via the official app and email address: noreply@booking.com
More malware
Recently, in a potentially related Scotland-based scheme, a social engineer phoned a hotel to explain that he intended to stay at the property with a child who has serious allergies. The adult would send a document providing the full details.
Upon receipt, a receptionist opened the document, which released malware and enabled the attacker to access all booking.com reservation information. All guests then received phony emails demanding that they immediately pay the full amount for bookings at the hotel.
Says Jude McCorry, CEO of the Cyber Fraud Center in Scotland, “While using social engineering in this way isn’t necessarily new, using the front of a sick child is a low even for these criminals, but doing what we do, nothing surprises us.”
For those in the hospitality sector:
- Increase employee awareness around these types of campaigns and around signs of malware within incoming emails
- For booking.com accounts, apply multi-factor authentication
- Leverage available controls to implement effective identity access management policies, restricting access to sensitive information
For Booking.com customers:
- Look out for emails or app messages requesting payment details, even if they appear to come from a legitimate originator
- If you’re at all concerned about entering personal information when asked (credit card details, username, password), contact the business via another methodology in order to validate the request. In so doing, avoid using any phone number enclosed within an email, as hackers have been known to establish fake customer hotlines. Rather, independently research the phone number online.
For more information about emerging cyber threats, please click here. Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.