Holiday Season Cyber Threats (Part 1): Phishing, Fake Shops and Bogus Bookings

Don’t let cybercriminals ruin your revenues and reputation this festive season.

Dec 06, 2024

This is the first of a two-part series. The holiday season is here. It’s a time for reuniting with family and friends, travel and gift-giving. It’s also a prime time for cybercrime as millions of consumers head to online checkouts on Black Friday, Cyber Monday, Giving Tuesday and throughout the holiday season. Cybercriminals capitalize on this seasonal surge in online spending by ramping up phishing messages and paid online advertisements, tempting shoppers with seemingly fabulous deals hosted on fake online shopfronts with counterfeit checkouts. The same trend is evident inhospitality, where travelers are increasingly targeted through fraudulent booking sites and fake travel promotions. Consumers and businesses should keep their guard up this festive season to prevent scammers from raiding shopping budgets and seasonal revenues.

Online sales in the United States are projected to reach US $240.8 billion in November and December 2024, marking an 8.4% increase from the previous year. The season provides ample opportunities for cybercriminals to profit from the high volume of transactions and growing dependence on digital retail and booking platforms. These online crooks aim to capture sensitive customer data, disrupt operations and exploit trust in well-known brands — all with an eye toward cashing in on the holiday rush.

Our threat intelligence experts are monitoring several key threats in the digital landscape this holiday season. This blog post examines some of these consumer-facing online threatsto the retail, travel and hospitality industries during holiday season, such as phishing and social engineering, fake websites, travel scams and fraudulent booking sites. These threats defraud consumers and erode the hard-earned consumer trust that businesses invest in their brand, logos, names and digital assets. Understanding scammers’ tactics, techniques and procedures (TTPs) helps businesses and consumers detect fraud and other wrongdoings.

In the second part of this two-part series, we’ll examine ransomware threats and their direct impact on operations, security and trust for businesses in these sectors. We also will examine threats to payments and transactions, including gift card fraud and point-of-sale (PoS) system breaches.

Consumer-facing threats in retail

Phishing for access to your accounts

Phishing and social-engineering attacks represent some of the most pernicious cyber threats facing consumers and businesses during the holiday season. These attacks use deceptive communication to manipulate individuals into disclosing personal information, financial details or other sensitive data. The festive rush, amplified by the influx of promotional emails and social media advertisements, provides an ideal environment for these malicious activities. Consumers anticipating legitimate offers from well-known retailers are especially susceptible to these sophisticated scams, which are crafted to emulate the marketing tactics of major brands.

Strategies threat actors employ include:

Mass email campaigns: Emails that claim to be from reputable retailers often promise exclusive discounts or special offers in an attempt to entice recipients into clicking on links that redirect them to counterfeit online store websites. These sites are meticulously designed to resemble genuine retail sites but may contain subtle errors, such as poor spelling or slight discrepancies in domain names.
Paid advertisements on social media and search engines: Scammers leverage paid advertisements on social-media platforms and search engines to disseminate their phishing schemes. These advertisements feature appealing deals that lead users to phishing sites where personal and payment information is collected.
SMS Phishing or “Smishing”: Short message service (SMS) phishing aka smishing involves sending fraudulent text messages that appear to come from legitimate sources, such as banks or popular retailers. These messages may claim there is an issue with the recipient’s account or promote an exclusive offer, prompting them to provide personal information or click on malicious links.

"You have been chosen" scams: Capitalizing on human psychology, scammers send emails or messages claiming the recipient has been selected for a special prize. Individuals are instructed to complete a survey and pay a nominal fee, allegedly for shipping or handling, or provide payment details for a prize draw. These scams are designed to create a sense of urgency, compelling the recipient to act quickly without scrutinizing the legitimacy of the offer.

Holiday threats image3 — The image depicts a screenshot of a phishing email leveraging the “you have been chosen” theme captured Nov. 24, 2024.

Warming up for the shopping season with fake online stores

As online shopping peaks, there is a notable surge in the creation of fake websites by cybercriminals. These sites are craftily designed to mimic well-known companies to deceive shoppers into thinking they are making purchases from legitimate sources. The sites are set up to harvest sensitive information such as login credentials, payment details and personal data from unsuspecting consumers. To drive traffic to these deceptive sites, attackers commonly use search engine optimization (SEO) techniques and invest in advertising across search engines and social media platforms. These advertisements frequently offer seemingly unbeatable deals on sought-after items, playing on a sense of urgency and scarcity to attract shoppers.

Intel 471 observed several hundred new websites registered in November 2024 containing the terms "blackfriday" or "black-friday." We noted multiple domains specifically designed to impersonate well-known brands, such as Gymshark with the phishing domain blackfridaygymshark[.]nl, Samsonite with the phishing domain samsoniteblackfriday[.]shop and Amazon with the phishing domain amazonblackfriday[.]store.

Holiday threats image1 — The image depicts a screenshot of a fake Samsonite website at samsoniteblackfriday[.]shop captured Nov. 24, 2024.

Threat actors carefully select keywords that mimic or spoof legitimate websites. Common themes and keywords used include:

Brand names: Names of well-known retail and hospitality brands or close misspellings of them, such as "StarbuckDeals.”
Holiday-specific terms: Phrases related to the holidays such as "BlackFriday," "CyberMonday," "ChristmasDeals" or "HolidaySales.”
Urgency and deals: Terms such as "exclusive," "deals,” "discount," "limited," "offers," "promotion" and "special."
Geographic locations: Adding city or country names helps to create the illusion of region-specific offers or store locations, such as “TheNorthFaceLebanon.”
Generic financial and shopping terms: Terms such as "bestprice," "cheap," "clearance," "gifts," "promo” or "shopping."
Security and trust: Words such as “official,” "secure" or "verified."

Case study: A phishing campaign targeted Booking.com partners and guests

In August 2024, Intel 471’s Malware Intelligence Team uncovered a phishing campaign targeting hotel partners of Booking.com and then guests. The campaign marked a significant evolution in the threat landscape facing the hospitality industry. Threat actors deploy a sophisticated phishing scheme using the ruse of a customer complaint to deceive hotel managers into providing their Booking.com partner account credentials. The scheme was also able to bypass multifactor authentication (MFA) by having the victim type their MFA one-time code into a phishing page under the belief they are doing so on the authentic Booking.com login page<. Once the actors have access to the admin.booking.com website, they are able to view all current room or holiday reservations made by customers of that hotel.

Holiday threats image2 — This image depicts a screenshot of the phishing page prompting the victim to enter the MFA code captured Aug. 15, 2024.

The actors then proceed to contact these customers by email or the official Booking.com app to pose as legitimate hotel administrators and request a fake confirmation of payment details for upcoming stays. The example Booking.com message in the image below contains a link that directs victims to a phishing page mirroring the Booking.com interface.This page is prefilled with the victim’s exact personal details, including the full name, stay duration and hotel information. The URL, designed to further deceive, follows the “booking.id(numbers).com,” “booking.reserve-visit.com” or “booking.confirmat-id(number).com” pattern. Threat actors then can exploit the information entered on these phishing pages, such as credit card data.

Holiday threats image4 — Image: an image of the malicious Booking.com message captured Jan. 12, 2024.

Notably, the advanced phishing scheme is a malwareless technique designed to bypass traditional endpoint detection mitigations. These campaigns remain active, as evidenced by recent Reddit posts detailing victims' encounters with the scammers. Prior to developing this malwareless technique, the threat actors deployed information stealers to steal Booking.com partner credentials (see the blog post: How Cybercriminals Exploit the Hospitality Industry).

Uncovering malwareless techniques with cyber threat intelligence

This advanced Booking.com-focused phishing campaign underscores the increasing skill with which threat actors harness digital tools and knowledge specific to the hospitality sector to conduct targeted fraud operations. By avoiding information-stealer malware in favor of a malwareless technique, they could avoid being potentially detected by endpoint detection and response (EDR). This campaign emphasizes the need for a proactive approach to cybersecurity through continuous monitoring of the threat landscape, as well as targeted training for industry personnel.

Tracking commercial offerings and requests for services on underground forums, combined with analysis of the actor’s digital infrastructure, revealed:

In February 2024: The actor authored a thread on the Exploit forum that claimed the actor could provide quality monetization of admin.booking.com logs.
In February 2024: The actor sought spammers and traffic providers. The task involved spamming hotel emails with a template that contained a phishing link with cloaking available and the actor promised to offer a percentage share of the net profits. The actor also sought traffic providers capable of attracting a targeted audience to a URL.
In May 2024: The actor sought a responsible individual with access to Amazon email accounts. The task involved sending an hypertext markup language (HTML) template that contained a link to a phishing page to email addresses of hotels.
In May 2024: The actor sought an expert capable of creating a Telegram bot for sending Booking.com messages. The actor sought a bot that could bypass MFA messages.
In June 2024: The actor authored a post seeking a professional capable of sending phishing emails to hotel email accounts using a legitimate cloud company’s service. The actor claimed to have a functioning Telegram bot with logs available.

Recommendations

Prevention strategies

Implement multifactor authentication (MFA): Enforce MFA across all employee and customer accounts to add an extra layer of security against unauthorized access due to compromised credentials.
Regularly train employees: Provide comprehensive cybersecurity awareness training for all staff, including seasonal and temporary employees. Focus on recognizing phishing attempts and social-engineering tactics, and proper handling of sensitive information.
Strengthen network security: Implement robust firewalls, intrusion detection systems (IDSs) and intrusion prevention systems (IPSs), and network segmentation to protect sensitive data and systems. Regularly update and patch all software and hardware to address known vulnerabilities.
Monitor for fake websites and brand misuse: Use brand-monitoring services to detect and take down fraudulent websites and advertisements impersonating your business.
Develop an incident response plan: Create and regularly update an incident response plan tailored to holiday-specific threats.
Leverage customer awareness initiatives: Inform customers about prevalent scams during the holiday season.

Decision Strategies

Continuous network monitoring: Implement security information and event management (SIEM) systems to monitor network traffic and system logs for suspicious activities in real time.
Threat intelligence integration: Work with a trusted cyber threat intelligence (CTI) partner to stay informed about emerging threats, indicators of compromise (IoCs) relevant to your industry and the evolving TTPs employed by adversaries targeting your sector. Some threats can only be detected by analyzing CTI data points gathered across the digital threat landscape, such as account takeover threats, third-party breaches, compromised credentials and relevant vulnerability exploits sold on underground forums. CTI data can help organizations understand their threat exposure before an attack occurs.
Endpoint detection and response (EDR): Use EDR solutions on all endpoints to detect and respond to threats at the device level, including malware infections and unauthorized access attempts.
Behavioral threat hunting: Enhance EDR coverage of threats with advanced to identify artefacts and evidence of undetected threats in security log data in EDRs and SIEMs. Running threat-hunting queries based on observed TTPs can help quickly identify novel threats designed to bypass detection.
Employee reporting mechanisms: Establish clear channels for employees to report suspicious emails, calls or activities.

About Intel 471

Intel 471 makes the cyber landscape less scary for organizations of all sizes and in their various stages of maturity. Intel 471 empowers enterprises, government agencies, and other organizations to win the cybersecurity war with award winning cyber threat intelligence, threat hunting, and attack surface protection solutions. Learn more at Intel471.com.

Share this article