In a complex information theft campaign, some hackers targeted hotels, booking sites and travel agencies, hacking into their systems to steal customer financial data. This indirect approach, supported by a fake payment page, has proven to be highly successful in collecting credit card information.

In the past, we had seen campaigns of information theft in the hospitality industrywhich used sophisticated social engineering techniques to spread malware capable of stealing information.

This campaign starts with a simple booking request or refers to existing bookings. The hackers, according to Perception Point researchers, establish contact with the hotel and then call a reason, such as a medical condition or special request, to send important documents via a URL.

This URL leads to malware designed to operate discreetly, collecting sensitive data such as credentials or financial information. Furthermore, the attack can go beyond this phase, directly targeting customers of compromised entities e by accessing legitimate customer messages.

This direct access to victims allows cybercriminals to send phishing messages disguised as legitimate requests from the hotel, booking service, or travel agency. The message requests credit card verification and leverages common elements of a phishing message, such as urgency and plausible justification.

Guez emphasizes that these messages are professionally written, modeled on legitimate communications between hotels and guests, eliminating any suspicion of fraud. So long as the messages come directly from booking sites through official channels, victims have no reason to doubt their legitimacy.

Victims receive a supposed credit card verification link to confirm the booking. Clicking on the link activates an executable coded in a complex base64 JavaScript script designed to detect information about the browsing environmentmaking analysis more difficult.

Attackers have implemented several security validation and anti-analysis techniques to ensure that only potential victims reach the next stage of the scam, which shows a fake payment page.

Despite the sophisticated approach, It’s still possible to spot traces of fraud by paying attention to common signs of possible phishing. However, the best precaution is to contact the company directly, using the official contacts, to verify the legitimacy of the messages received and avoid falling victim to complex phishing campaigns.

This article first appeared in, written by Jimmy Rivers on September 24, 2023.