Amidst the ever-escalating cybersecurity arms race, social engineering tactics have manifested in a new, sinister way. With the advent of generative AI technology like ChatGPT, threat actors can create more convincing phishing messages than ever before, and in the hospitality sector, an industry that relies on prompt customer service, hostile use of sophisticated social engineering techniques can spell disaster for even the most cyber-prepared organizations as well as the customers who rely on them.

Hackers targeting this industry have spoofed the popular website Booking.com, an online service travelers can use to reserve hotel rooms, rent cars, or book flights, to scout for victims. This threat was first detected by prevention-as-a-service company Perception Point, which found that cyber criminals were using InfoStealer malware to access personal guest information through compromised hotel accounts on the website.

Cybercriminals using standard phishing methods may attempt to redirect hotel representatives to spoofed review websites or Extranet login pages to harvest account information. Others pose as guests asking hotels to confirm reservation details using fake Booking.com mirrors. One method, however, is much more involved.

Attackers will first book a reservation and then wait for their automatic confirmation email to arrive. Once it does, they will respond with a phishing email containing an infected URL. This email is typically crafted to take advantage of the hotel’s desire to best accommodate guests. For example, they may try to convince an employee to click on the infected link by telling them that it contains information about an elderly guest’s dietary restrictions or allergies to cleaning products.

This link leads to an archive file containing executables on a file sharing platform like Google Drive. Once downloaded, the malware executable will appear on the infected system, usually with a misleading name and icon to trick the victim into clicking on it. Attempting to open the file installs InfoStealer malware onto the system. Designed to operate under the radar, this malware can quickly siphon confidential data without raising alarms.

Whichever route is taken, the attacker now has free entry to the hotel’s official Booking.com account.

Once the hotel’s Booking.com account has been compromised, threat actors can access a wealth of customer data, including payment methods, hotel details, and guests’ full names. Using this information, attackers will craft messages individually tailored to each recipient regarding canceled bookings or payment verification, the urgency of which typically prompts victims to respond quickly. Upon clicking the provided link, a guest will be redirected to a phishing page near-identical to the actual website to hand over their personal information and credit card details.

While more internet-savvy vacationers are likely to recognize a phishing email when they see one, an urgent message from a hotel’s official Booking.com account may look just authentic enough to take advantage of their trust. Travelers, now more than ever, need to remain vigilant when using external services to plan their trips.

Peleg Cabra, Product Marketing Manager at Perception Point, has 11 years of experience in intelligence, marketing, and research. At Perception Point, he calls attention to phishing, spam, and malware campaigns before they reach end users. SecurityInfoWatch editor Samantha Schober recently discussed this emerging threat with Cabra.

SIW: What factors might be contributing to this surge in attacks on the hospitality industry?

Peleg Cabra: The surge in attacks on the hospitality industry can be attributed to several factors:

  1. Valuable Data: Hotels and travel agencies handle a wealth of personal and financial information, including legal names, email addresses, credit card details, and often sensitive travel plans. This data is highly valuable for cybercriminals.
  2. Email and Online Booking Systems: The widespread use of email for communication and online platforms for bookings creates numerous attack vectors. Cybercriminals exploit these systems to launch phishing campaigns.
  3. Interconnectedness: The connected nature of various platforms in the hospitality sector amplifies the risk, as breaching one account can expose a wide range of customer data.
  4. Targeting Vulnerabilities: Smaller hotels or those with less robust cybersecurity measures are particularly vulnerable, making them attractive targets for cybercriminals.
  5. Sophistication of Attacks: The evolution of phishing techniques, including the use of Generative AI to create convincing, personalized messages, has made these attacks more effective and challenging to detect.

SIW: What makes the hospitality industry a prime target for social engineering attacks?

Cabra: The hospitality industry places a particular priority on customer relations and satisfaction. Consequently, they are a prime target for social engineering attacks that are predicated on the premise that as professionals, they are especially sensitive to respond to customer inquiries.

This campaign demonstrates a deep knowledge of the hotel industry’s processes and customer interactions. The use of individualized, context-aware tactics to compromise hotel accounts in addition to the trusted Booking.com channel to scam guests is particularly unprecedented.

Moreover, the diverse and often seasonal workforce, consisting of many employees who may be less aware of cybersecurity awareness protocols, along with advanced technological integrations, add complexity when it comes to maintaining robust cybersecurity measures.

SIW: So why is Booking.com being utilized to conduct these attacks?

Cabra: Booking.com is a prime target for these attacks due to its role as a popular trusted channel in the hospitality industry. The platform holds a trove of customer data, including reservation details and pricing, making it a prized resource for crafting convincing phishing campaigns.

The attackers leverage the inherent trust between hotels and customers, using a trusted brand like Booking.com as a gateway to target both businesses and end customers. The multi-layered and context-aware phishing tactics, combined with the personalized nature of the attacks, demonstrate a significant progression in social engineering techniques, making them highly effective.

SIW: What mistakes are guests & hotels making with security protocol that increases their risk?

Cabra: In general organizations are not fully aware of the risks and the existing gaps in their cybersecurity stack, falling victim to social engineering tactics and not verifying emails or contacts before opening malicious links and files. Guests and hotels alike increase their security risk due to a lack of vigilance and awareness.

Guests may not verify the legitimacy of emails related to their bookings, making them susceptible to phishing attacks. Hotels, on the other hand, might not have stringent security protocols for their internal systems, identity management and customer data. The staff may not be adequately trained to recognize and respond to suspicious activities. These gaps in awareness and protocol make it easier for attackers to exploit vulnerabilities in both the guests’ and hotels’ defenses.

The campaigns’ success in evading traditional security systems’ detection capabilities and manipulating both businesses and their customers underscores the complexity and gravity of modern cyber threats. The shift towards such advanced and targeted phishing methods demands a corresponding advancement in cybersecurity strategies, the deployment of efficient and modern security systems and security awareness training programs.

SIW: What security practices can guests & hotels employ to mitigate their risk?

Cabra: To mitigate the risk of cyberattacks, guests and hotels should:

  • Cultivate a culture of skepticism: Both guests and hotels should verify the identity of anyone requesting sensitive information or access to internal systems through phone calls or secondary email confirmation.
  • Empower staff through security awareness training: Hotels should regularly educate teams on identifying phishing techniques and establish proper channels for reporting potential threats.
  • Invest in robust email and browser security solutions: All businesses, both large and small, must ensure that their security solutions include sentiment analysis, anti-evasion capabilities, and next-gen dynamic detection to prevent advanced phishing and malware from reaching inboxes.
  • Regularly check the efficacy of their security stack: Keep security measures up to date and effective in countering evolving cyber threats, especially with attackers’ toolkits rapidly evolving in the Gen-AI era.
  • Emphasize the importance of cybersecurity: Encourage hotels, especially smaller establishments, to allocate resources for cybersecurity measures, both technical defenses and training, to counteract social engineering risks effectively.

This article first appeared in SecurityInfoWatch.com, written by Samantha Schober on January 12, 2024.