Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that an active multi-step information stealing phishing campaign, targeting hotels, booking sites and travel agencies, has been identified

Using the phishing campaign threat actors try to breach the systems of hotels, booking sites, and travel agencies and then use their access to go after financial data belonging to customers.

Specifically, this phishing campaign was found targeting Booking.com users.

The sophisticated info-stealer campaign targeting the hospitality industry, uses advanced social engineering techniques to deliver info-stealing malware. The attackers initiate contact with hotels or travel agencies, often citing reasons like medical conditions or special requests to send malicious URLs containing info-stealing malware. Once executed, this malware operates stealthily, collecting sensitive data like credentials and financial information.

Furthermore, the attack extends to targeting the compromised entity’s customers. After the info-stealer malware is executed on the original target (the hotel), the attackers can access messaging with legitimate customers. Having a direct and trusted communication channel with the victims, cybercriminals establish direct communication, sending phishing messages that appear as legitimate requests from the compromised hotel or booking service. These messages are convincingly written and come through the official booking platform, making them highly believable and difficult to suspect.

The attackers’ message, sent to the guests via the Booking.com platform and also by email from Booking.com, contains a link that leads victims to a meticulously crafted phishing page, mirroring Booking.com’s interface. This page is pre-filled with the victim’s personal details, including their full name, stay duration, and hotel information.

This attack exemplifies the alarming threat levels the hospitality sector, as a whole, faces in 2023, as threat actors leverage InfoStealer malware in compromised hotels to access guests’ booking information and attack them in follow up campaigns.

CVE(s)

Affected Systems

• N/A

Recommendation(s)

Individuals should steer clear of clicking on unrequested links, even if they seem genuine. They should also exercise caution when receiving urgent or alarming messages that demand immediate action and scrutinize website addresses for signs of trickery. To safeguard against falling prey to more intricate phishing schemes, it is advisable to directly get in touch with the hotel/company through their official email or phone number and seek clarification regarding the message.

The guidelines below will help you protect against malware and its associated security threats:

* Do not open e-mail from unknown sources. Be suspicious of emails purporting to be from financial institution, government department, or other agency requesting account information, account verification or banking access credentials such as usernames, passwords, PIN codes, and similar information. Opening file attachments by clicking on web links in suspicious emails could expose your system to malicious code that could hijack your computer.
* URL Filtering mechanisms should be in place.
* Never respond to a suspicious email or click on any hyperlink embedded in a suspicious email. Call the purported source if you are unsure who sent an email.
* If an email claiming to be from your financial organization seems suspicious, checking with your financial organization may be appropriate.
* Consider enabling the “”Show hidden file-extensions””.
* Filter executable files in email. If your email gateway has the ability to filter files by extension, you may wish to deny mails sent with “.exe”, “”.scr””, “”.bat”” files, or to deny mails sent with files that have two file extensions, the last one being executable.
* Disable macros in Microsoft Office files. Most people may not be aware that Microsoft Office Files are like a file-system within a file system, which includes the ability to use a powerful scripting language to automate almost any action you could perform with a full executable file. By disabling macros in Office files, you deactivate the use of this scripting language.
* Install anti-virus and spyware detection software on all computer systems. Free software may not provide protection against the latest threats compared with an industry standard product.
* Update your computers regularly with the latest versions and patches of both antivirus and antispyware software.
* Ensure computers are patched regularly, particularly operating system and key application with security patches.
* Back up your data. The single biggest thing that will defeat ransomware is having a regularly updated backup.
* It is strongly recommended to implement a Security Awareness program, addressed to all your management and staff, designed to increase the level of understanding regarding Social Engineering and security threats in general.

References

• https://www.bleepingcomputer.com/news/security/hotel-hackers-redirect-guests-to-fake-bookingcom-to-steal-cards/
• https://perception-point.io/blog/booking-com-customers-hit-by-phishing-campaign-delivered-via-compromised-hotels-accounts/