Threat actors are conducting a “convincing” phishing campaign, posing as hotels on Booking.com to swipe the payment details of their targets, Perception Point warned on Wednesday.
The scammers compromise hotels’ systems using infostealer malware and take over their Booking.com accounts. They then reach out to customers who have made reservations, urging them to verify their payment credentials by entering their card details on a legitimate-looking phishing site.
It’s unclear how many hotels have been affected and how many individuals have fallen for this scam. It can be particularly difficult for customers to detect this is a scam as the phishing messages come from a hotel’s official Booking.com account, and victims’ personal information and booking details appear in the phishing messages. Also, Booking.com often asks users to update their card details if it’s found to be invalid.
This is not an isolated incident. Perception Point estimates that “hundreds of hotels and resorts worldwide” have been impersonated in these attacks. “This attack exemplifies the alarming threat levels the hospitality sector as a whole faces in 2023,” the blog post reads.
More Than Just a Reservation: Anatomy of the Hacking Campaign
Threat actors infiltrate hotel systems — possibly using infostealer malware — and take control of the hotel’s official Booking.com account. Once inside, they can access data about reservations, like customers’ “full names, booking dates, hotel details, and partial payment methods.”
With this data, the attackers craft tailored phishing messages to their victims, requesting they verify their credit card details and warning that their reservation could be canceled if they fail to do so.
“Since the threat actors have partial information on the original payment method used by the targets to book the reservation, the message specifically asks for it in full (a Mastercard card, for example),” Perception Point noted.
These messages, sent via Booking.com and email, contain a link to a phony site resembling Booking.com’s interface, complete with the victims’ pre-filled personal information.
The URL used for these phishing sites, such as booking.id(numbers).com or booking.reserve-visit.com, are not official Booking.com URLs, but make the scam seem credible.
When victims provide their credit card details, they’re unwittingly handing it over to the attackers. Perception Point researchers believe the hackers have stolen “hundreds or thousands of dollars” through this scam. But the threat doesn’t end with a drained bank account. Threat actors often sell stolen credit card credentials and other personal data on the dark web, allowing other cybercriminals to use them for malicious schemes like identity theft.
Emotional Manipulation to Trick Hotel Staff
An earlier Perception Point blog post delved into how hackers penetrate hotels’ systems. Initially, they book a reservation and then send seemingly harmless emails to the hotel’s desk, often referencing personal and emotional details to build trust.
Leveraging this trust, they send a URL under the guise of sharing crucial documents, such as medical records. However, this link leads to malicious files on file-sharing platforms. When hotel staff attempt to download the files, infostealer malware covertly infects their device and extracts sensitive data.
There have been several high-profile cyberattacks on hotel chains in recent years, exposing millions of customers’ data and disrupting their services. In 2022, Marriott International suffered a data breach that resulted in the theft of credit card information and other sensitive data. Also, last year, a cyberattack on InterContinental Hotels Group PLC (IHG) disrupted its booking channels and other applications.
A study by Which? in 2020 showed that the travel industry has failed to learn lessons from past data breaches.
Safety Measures for Booking.com Users
The sophisticated nature of this hacking campaign makes it unlikely that many victims would notice they’re being scammed.
Perception Point recommends always double-checking URLs for misspellings or unfamiliar extensions and being cautious of urgent requests, as they can be tactics to induce panic. If you receive a suspicious message, contact the service provider directly using known contact details. Also, monitor your bank accounts for any unauthorized transactions.
Read our in-depth guide to phishing to learn more about the techniques cybercriminals use and how to spot a potential attack.
For more privacy news, follow us on X (Twitter), Threads, and Mastodon!
