Cyberattackers are hitting the digital road, looking to make some virtual stops at various hotels that contract with Booking.com to sell rooms. The idea is to phish the hotels’ backend Booking.com logins, with the aim of taking over the accounts and ultimately harvesting data on the hotels’ customers.

According to an analysis from Perception Point on the campaign, the threat actors are significantly innovating in their tactics, by focusing on specific industry practices and relationships to conduct targeted and compelling phishing attacks.

For instance, many of the phishing messages are to hotel managers, claiming that former guests are writing scathing reviews of the property online. The emails encourage the hotels to log on and reply to the complaints, and helpfully they contain a “Reply to Complaint” link.

Once duped into clicking, recipients are directed to a fake but very convincing-looking Booking.com website, complete with a believable URL (hxxps://account[.]booking-sign[.]com/sign-in?op_token=vNGgY0o3sJ8LRVeu). The targets are asked to enter their passwords on the site, and the attackers are home free.

In variations of the campaign, targets are asked to log into Booking.com’s property management portal, Extranet, or else risk account deactivation; or, the messages purport to come from future guests, asking for reservation confirmations “through the app.”

“The campaigns demonstrate a deep understanding of the hotel industry’s processes and customer interactions,” explains Peleg Cabra, senior product marketing manager at Perception Point. “The use of personalized, context-aware tactics to compromise hotel accounts in addition to the trusted Booking.com channel to scam guests is particularly novel.”

Also notable: Contrary to recent “white whale” attacks on MGM Grand and Caesar’s Palace, “the ongoing phishing campaign involving Booking.com is spread much wider and targets hotels of all sizes,” Cabra says. “This approach indicates a strategic shift by cybercriminals towards exploiting smaller, potentially less secure networks within the hospitality sector, which may not have the same level of cybersecurity resources as larger chains.”

No Reservations About Follow-On Cyberattacks

Once the attackers have access to a hotel’s Booking.com profile, the larger aim is “to execute mass phishing campaigns against hotel guests,” according to Perception Point’s report. “By possessing hotels’ Booking.com credentials, attackers are privy to guest information …While it is certainly useful to hack a hotel, the real payload lies in the customer data.”

Cabra notes that successful phishers can indeed land themselves a rich prize — the data in question is quite meaty.

“The travel industry … retains complete legal names for reservations, communicate with customers through email for confirmations, and store credit card details for extended periods, often months or even years (corporate, industry, and large events) before the scheduled stay,” he says. “Many hotel chains run loyalty programs. These programs require not only contact information including the name of the member, their address and phone number but also credit card details and other personal information like birthday dates and anniversaries, holding these sensitive details for long periods of time.”

This trove of detailed data can help make the second-stage follow-on attacks on the hotel’s customers as believable as possible, he adds.

“When combined with phishing kits, the attacks are personalized and convincing to an unprecedented degree,” he says. “They leverage specific details like the individual’s hotel bookings, the pricing, and customer data. This level of personalization, combined with the intrinsic trust within the hotel-customer relationship, makes these attacks extremely challenging to detect and therefore highly effective.”

Cyber Defense Must Evolve With Hospitality Attack Sophistication

Cabra notes that the most interesting and novel aspect of this attack is the sophistication and multi-layered nature of the phishing campaigns; they demonstrate significant evolution when it comes to social engineering.

“The evolution of phishing efforts, as evidenced in these campaigns, highlights a worrying trend towards more sophisticated and highly targeted attacks,” he explains. “The incorporation of Generative AI (GenAI) in these [phishing] schemes helps create believable, context-rich messages.”

In turn, this necessitates a corresponding advancement in cybersecurity strategies and security awareness training programs, starting with the basics.

“Cultivate a culture of skepticism: Don’t just trust; verify,” he says. “Always confirm the identity of anyone requesting sensitive information or access to internal systems. A quick phone call or secondary email can go a long way in establishing legitimacy.”

Beyond that, investing in robust email and browser security solutions, and regularly checking the efficacy of hotel security stacks, should be on the to-do list, he says.

“Make sure that your email security solution has LLM-based sentiment analysis, anti-evasion, and next-gen dynamic detection,” according to Cabra. “[And] protecting the enterprise browser with a layer of security can stop malicious downloads, and access to malicious sites via any SaaS or collaboration app.”

This article first appeared in Dark Reading, written by Tara Seals on January 10, 2024.