Travelers’ information and booking details may have been stolen from hundreds of hotels around the world, according to new findings from security researchers. These swiped trip details, such as booking names and reservation information, are then being repurposed by cybercriminals to create highly targeted phishing messages used to steal credit card information.
At least 350 hotels, vacation rentals, motels, and guesthouses in 50 different countries have been caught up in so-called reservation hijacking scams, according to an analysis of phishing messages and cybercriminal infrastructure by security company Norton. Researchers say the use of legitimate booking information in phishing messages may increase the chances that someone clicks on a fraudulent link and hands over other sensitive details to criminals.
“This is really targeted,” says Luis Corrons, who led the research by Norton’s parent company, Gen. Phishing websites the company analyzed included hotel names, differing prices for each victim, with specific check-in and check-out details being added to the pages. “It’s spear phishing targeted to the specific victim with the real details of the reservation.”
Across the data analyzed by the researchers, Germany appeared to have the most hotels that could have had customer data compromised, followed by France, the UK, Italy, Spain, and the US. The 350 accommodations named in the scam SMS, WhatsApp, and email messages have capacity for around 80,000 guests at their peak, the researchers estimate. “Most of the accommodations are not big, they are small- and medium-size hotels,” says Corrons.
While attempts to hack into hotel systems to gather customer booking information have been around for years, the findings come as cybercriminals are continually expanding and developing the “phishing-as-a-service” software they use to send millions of delivery and toll scam messages every month. These phishing kits continually add new lures to trick people into clicking malicious links, and can impersonate dozens of global brands. Last year, Americans lost more than $200 million as a result of successful phishing attempts, according to recently published FBI data.
Norton started its investigations into hotel-linked fraud in December, after identifying a realistic-looking phishing message. The message, sent on WhatsApp from an account impersonating holiday website Booking.com, said it was from a specific hotel and listed the dates of an upcoming reservation, before asking the individual to click a link and confirm their details. The link led to a false website and included a chatbot that would instantly share any entered details, such as credit card information, with the hackers.
Hackers could obtain people’s specific vacation booking details from a variety of places, including accessing hotel systems after sending them phishing messages or through third-party booking services. For example, hackers could send malware-laced emails or files to hotels to try to get their login details, rather than systems containing vulnerabilities that are exploited by cybercriminals. Previous research by Norton published in March mentions both Booking.com and hotel-management-system CloudBeds. “We have been able to get some of the messages that are received by the accommodation staff to get them phished,” Corrons says.
“We would not say that every single phishing message we observed was definitively caused by a direct compromise of the hotel’s own internal systems,” the researcher says. Phishing messages could have been sent using information from other data breaches or systems not linked to the travel industry. “The common factor is that criminals are weaponizing real reservation context and pushing travelers into a fake verification or payment flow,” Corrons says.
Corrons says Norton has been unable to fully unpick who may be behind the attacks but says investigations are ongoing. Those sending some of the phishing messages appear to be using phishing kits designed to speed up and automate the process of sending and collecting information, he says, and in several cases the same phishing kit or technical infrastructure has been used. The company is not publishing the full list of potentially compromised hotels and holiday accommodations, Corrons says; however, he says the company has been in touch with Europol about its findings.
A Europol spokesperson declined to comment, saying it does not discuss its operational activity.
“We continue to strengthen our defences to reduce risk and limit opportunities for bad actors to target our accommodation partners and our customers, and we are seeing results,” a Booking.com spokesperson says.
Cloudbeds says the company has not been breached and the attacks described by the Norton researchers are credential-phishing campaigns targeting hotel staff and then customers. “The reason these scams are so effective is that the attacker isn’t guessing: They know exactly who the guest is, when they’re arriving, and what they paid,” Aaron Ownbey, vice president of engineering at Cloudbeds, says.
Attempts to hack hotels and use customer data to launch phishing attacks have been around for years. Across the travel industry, hotels will often use a range of property-management software or different systems that allow people to make bookings through third-party companies. At the same time, staff can easily manage key customer details and reservations. “The hospitality industry needs to collectively raise the security baseline—better training for front desk staff, wider adoption of phishing-resistant authentication, and tighter controls on how guest data can be accessed and exported from any platform,” Ownbey says.
Smaller hotels are less likely to have in place security best practices, such as multifactor authentication for staff members, says Don Smith, the vice president of threat research at security company Sophos, which has worked with companies in the travel industry.
For instance, in one incident handled by Sophos, a cybercriminal emailed a hotel saying they had lost their passport during a recent stay. In a followup message, the attacker included a link to a photo of the passport; however, when clicked it downloaded a file including the Vidar info stealer, which can collect login details from an infected computer. Days after the malware was deployed, fraudulent messages had been sent to customers from the hotel’s Booking.com account and people were complaining they had lost money.
“Threat actors love context because context makes a phishing lure much more compelling,” Smith says. “It’s very hard to not simply react and click on something to remove one element of stress from what may be a stressful travel experience.”
Corrons, from Norton, says the inclusion of real information in phishing messages can make it harder to determine what is legitimate and what’s a scam. If in doubt, he says, get directly in touch with the hotel or vacation rental through another means of contact. “Even if the data in the message is real,” he says, “that doesn’t mean that you can trust the message.”
Disclaimer : This story is auto aggregated by a computer programme and has not been created or edited by DOWNTHENEWS. Publisher: wired.com
