The past few months have witnessed a rise in attacks targeting the hospitality industry. More specifically, we have seen multiple attacks convincingly impersonate to execute malicious payloads. In this post we examine some of these attacks that have resurfaced, targeting hotels, just in time for the new year.

New call-to-action

Booking the Phish

In the first attack, the attacker impersonates and sends a message to a hotel. The message claims that a former guest of the hotel has written a disparaging review, and urges the hotel to reply to the complaint, resolving the issue. 

However, upon clicking the “Reply To Complaint” link, the recipient is led to a fake website. The URL used is extremely similar to the actual URL that uses:

Fake URL: hxxps://account[.]booking-sign[.]com/sign-in?op_token=vNGgY0o3sJ8LRVeu

Real URL:

The target is urged to log into the site to manage their property. Unlike on the real website, there is only one option to sign in, as opposed to offering linked services like Google, Facebook, etc.

Upon entering the username, the target is asked for the password.

Once the target enters the password, they receive a loading message and are instructed to not leave the page. In actuality, there is nothing to load as the attacker has successfully stolen the hotel’s credentials.

New call-to-action

This Booking Seems Extra(net)

In another variation of the attack, attackers pose as and send hotels a message, informing them of a change in policy. The message explains that if hotels do not log into the property management portal, Extranet, regularly, they risk account deactivation.

The user is urged to click the provided link, which leads to a spoofed Extranet login page. Once the user logs in with the hotel credentials, the attacker has successfully gained access to their account.

Phishing Without Reservations

Another method attackers have been using to access hotels’ credentials is by posing as future guests. Attackers send hotels a message, requesting details about their upcoming reservation. They ask the hotel to confirm their reservation by sending a link that appears to come from The danger lies in clicking the link, which leads to a spoofed login page. The aim, of course, is for the user to login with the hotel’s credentials, only to be stolen by the attacker. 

Hospitable Hacking

All of these attacks possess the same goal: to gain access to a hotel’s profile. However, that is just the first step in the larger aim to execute mass phishing campaigns against hotel guests. By possessing hotels’ credentials, attackers are privy to guest information, including emails, phone numbers, and in some cases even credit card details. While it is certainly useful to hack a hotel, the real payload lies in the customer data.

The hospitality industry is in the business of keeping customers happy. The strategies employed in these attacks exploit that desire, leveraging advanced social engineering tactics to achieve their malicious goals. Responding to a guest complaint, maintaining their property management portal, and addressing a future guests’ concerns are all high stakes scenarios that require urgent consideration from hotel employees. It is perhaps hotels’ hospitality that makes them such hospitable targets for attackers.

For more information on attacks targeting the hospitality sector, check out these blogs:

Stealing More Than Towels: The New InfoStealer Campaign Hitting Hotels and Travel Agencies Customers Hit by Phishing Campaign Delivered Via Compromised Hotels Accounts

New call-to-action