A number of cyber crime inventions make it easy for fraudsters to cash in on your upcoming travel plans. This story examines the latest phishing campaign that followed a California hotel booking.com stolen attributes. We will also explore a number of cybercrime services targeting fraudsters targeting hotels that rely on the world’s most visited travel website.
According to the market share website statistics.combooking.com is the Internet’s busiest travel service, with nearly 550 million visits in September. KrebsOnSecurity last week learned of a student whose close friend received a phishing SMS message within minutes of making a reservation at a California hotel through booking.com.
The wrongful had the hotel’s name and reference details on their booking, saying that booking.com’s anti-fraud system required more information about the customer before the booking could be completed.
A phishing SMS received by a friend of our reader after booking on booking.com in late October.
In an email to KrebsOnSecurity, booking.com confirmed that one of its partners experienced a security incident that allowed unauthorized access to customer booking information.
“Our security teams are currently investigating the incident you mentioned and can confirm that it was indeed a phishing attack targeting one of our accommodation partners, which is unfortunately not a new and common situation in all industries,” booking.com replied. “Most importantly, we want to make it clear that there has never been a compromise in Booking.com’s internal systems.”
The phony booking.com website is created by visiting a link in a text message.
Booking.com said it now requires 2FA, forcing partners to provide a one-time passcode from a mobile authentication app (Pulse) in addition to a username and password.
“2FA is required and enforced, including for partners to securely access customer payment information,” a booking.com spokesperson wrote. “That’s why hackers are following messages to try to get customers to pay outside of our platform.”
“That said, the phishing attack was caused by our partner’s machines being vulnerable to malware, which enabled them to access our partner’s accounts and send messages that your student intercepted,” they continued.
It’s unclear, however, if the company’s 2FA requirement applies to all or new partners. Booking.com did not respond to questions about that, and its current security advisory urges customers to enable 2FA.
A scan of social media has shown that this is not an uncommon scam.
In November 2023, the security company SecureWorks detailed how fraudsters targeted booking.com’s hotel partners with data-stealing malware. SecureWorks said the attack had been ongoing since at least March 2023.
“The hotel did not enable multi-factor authentication (MFA) on its Booking.com access, so logging into the account with stolen credentials was easy,” SecureWorks said of its investigating booking.com partner.
In June 2024, booking.com told the BBC that phishing attacks against travelers had increased by 900 percent, and that thieves using new artificial intelligence (AI) tools were the main drivers of this trend.
Booking.com told the BCC that the company has started using AI to combat AI-based phishing attacks. A Booking.com statement said their investment in that platform “blocked 85 million fraudulent bookings from more than 1.5 million phishing attempts by 2023.”
Domain name of phony booking.com website sent via SMS to our reader’s friend — guestsecureverification[.]com — registered to the email address [email protected]. According to DomainTools.com, this email address has been used to register more than 700 phishing domains in the past month alone.
Many of the 700+ domains appear to target hospitality companies, including platforms such as booking.com and Airbnb. Some appear to be designed for phishing Shopify, Steamand a variety of financial platforms. A full, detailed list of domains is available here.
A recent review of the latest posts on all cyber crime platforms monitored by the security company Intel 471 shows that there is a high demand for booking.com accounts compromised by hotels and other partners.
One post last month on a Russian language hacking forum BHF up to $5,000 is offered per hotel account. This seller claims to be helping people make money through hacked booking.com partners, apparently by using stolen information to create fake listings.
A service advertised in the English language crime community BreachForums in October in court hackers may need help with certain aspects of their phishing campaigns targeting booking.com partners. That includes more than two million hotel email addresses, and services designed to help hackers sort through large volumes of phishing records. Customers can interact with the service through an automated Telegram bot.
Some cybercriminals appear to have used compromised booking.com accounts to power their own travel agencies that offer other scammers, with discounts of up to 50 percent on booking.com hotel bookings. Others sell ready-to-use “config” files designed to facilitate automated login attempts against booking.com administrator accounts.
SecureWorks has discovered that hackers targeting booking.com partner hotels are using malware to steal information. But today’s thieves can simply visit online crime marketplaces and buy stolen information from cloud services that don’t enforce 2FA on every account.
That’s exactly what happened over the past year with many of the cloud data giant’s customers Snowflake. In late 2023, hackers discovered that while tons of companies had hidden large amounts of customer data in Snowflake, many of those customer accounts were not protected by 2FA.
Snowflake responded by making 2FA mandatory for all new customers. But that change only came after thieves used the stolen credentials to extract information from 160 companies – including AT&T, The Borrowing Tree again TicketMaster.
Source link