In the second half of 2023, the hospitality industry was increasingly targeted by spam and social-engineering campaigns that led to malicious software. The victims of these campaigns are threefold: customers who use the platforms for bookings, property operators who use the booking platforms and the booking platforms themselves. These campaigns have been tailored to take advantage of the type of frequent interactions that hotels have with guests, such as the sending of identity documents. Unfortunately, these interactions are prime opportunities for the classic bait-and-switch by threat actors, who substitute malware for the expected content.
These campaigns predominantly revolve around the Booking.com platform. The platform allows hotels and other property owners to list their properties. Property operators get their own administrative booking panel (accessed through admin.booking.com) to manage bookings. Cybercriminals seek access to these panels, as illicit access means opportunities to profit from fraud. We’ve seen rising demand for credentials for admin.booking.com. We track the trade in stolen login credentials across the underground and threat actors in our Credential Intelligence module, which collects datasets from information stealers (infostealers), instant messaging services, data breaches and more. In the last three months, we collected nearly 4,300 credential sets for admin.booking.com, which shows that there is a pervasive risk of account takeovers (ATOs).
Fraudsters can get access to the booking portals by tricking property owners into downloading infostealer malware. Hotel staff and guests often message each other back and forth with documents, and threat actors have taken advantage of this by sending malware to hotel staff. The infostealer malware collects the login credentials used by hotel staff and sends them back to the fraudsters. Once inside these booking panels, fraudsters then have access to the bookings stored within the platform. Then, those customers are targeted, with the fraudsters contacting upcoming guests and asking for payment. These messages are sent from the real platform, adding a veneer of legitimacy that makes it more likely the victims will be fooled. However, we also observed a few instances where hotels were directly targeted, following a similar approach. In this report, we examine these malware campaigns targeting the hotel industry.
Step 1: Admin Portal Access
To start the process of gaining unauthorized access to a hotel’s administration portal, threat actors make a reservation. After receiving a booking confirmation, they craft a response to the automatic confirmation message in order to start a dialog with the hotel staff. When the hotel responds, attackers proceed with a carefully crafted follow-up email that’s aimed at getting the staff member to follow a link. The link usually leads to a password-protected archive that contains documents that apparently validate the actor's previous requests, such as copies of passports or medical records that specify dietary requirements. Once the archive is downloaded and a password supplied by the fraudster is entered, the file is executed on the victim’s endpoint, triggering the deployment of infostealer malware. The infostealer starts collecting sensitive data, including administrative credentials for admin.booking.com.
Over the course of several months, we observed the use of various infostealers in campaigns, including StealC, Lumma, AgentTesla, Arkei, Vidar and MetaStealer, which is an improved RedLine variant. To provide the most current and relevant information, we will give an example of a campaign involving MetaStealer.
MetaStealer
Since the beginning of December 2023, there has been a noticeable increase in the deployment of MetaStealer. Here we examine a campaign from Jan. 6, 2024. The diagram below shows the general attack flow for these types of campaigns.
In these scenarios, a threat actor assumed the role of a prospective hotel guest and contacted the hotel to make a reservation (see below). This approach marked a slight shift from the usual strategy of responding to Booking.com confirmation emails. Instead, the actor directly engaged with hotels via their official email channels.
In this campaign, once a response was received from the hotel administrator, the threat actor sent a follow-up email outlining their room preferences and dates and included a URL disguised as a portable document format (PDF) file (see screenshot below). When the recipient clicked on the file, they were redirected to the FileTransfer data-sharing platform. This platform hosted a file named “ID and Card for booking.pdf.url.download.” Once this file was clicked, the “file.exe” file would be downloaded from a web page hosted at hxxp://89[dot]23.99.252/pdf/file.exe. Executing this file then would trigger the installation of MetaStealer.
Once the threat actors gain access to the credential logs from the targeted victim's system, they obtain the capability to log in to the hotel's reservation portal, such as the admin.booking.com website. This access provides them with visibility into all current room or holiday reservations made by customers.
Step 2: Swindling Travelers
The threat actors then progress to the next phase of their scheme, which involves contacting these customers. They use email or the official app to pose as legitimate hotel administrators and request a fraudulent confirmation of payment details for upcoming stays.
These messages contain a link that leads victims to a phishing page that mirrors the Booking.com interface. This page is pre-filled with the victim’s exact personal details, including their full name, stay duration and hotel information. The URL, designed to further deceive, follows the “booking.id(numbers).com,” “booking.reserve-visit.com” or “booking.confirmat-id(number).com” pattern. Threat actors then can exploit the information entered on these phishing pages.
Defense Tips for the Hospitality Industry and Consumers
Amid the complex cyber threats facing the hospitality industry, especially those involving platforms such as Booking.com, it is imperative for both industry professionals and customers to implement strong security practices. Here are some key recommendations for hospitality sector professionals and customers using services such as the Booking.com platform.
For hospitality sector professionals:
Strengthen Email Security Protocols: Invest in advanced email filtering and security measures to identify and thwart phishing attempts. Ensure these systems are updated regularly to keep up with new cyber threats.
Regular Cybersecurity Training: Provide ongoing, thorough cybersecurity training for all staff members. Emphasize the importance of recognizing phishing emails.
Enhance System Access Controls: Utilize strong password policies and multifactor authentication (MFA) to access internal systems and administration portals.
Monitor and Control Network Access: Employ network monitoring tools to detect unusual activities, such as unexpected access to administration portals or large data transfers.
Enable Multifactor Authentication: Where possible, use MFA for your accounts to add an extra layer of security.
For customers using services such as Booking.com:
Be Wary of Unsolicited Requests: Be skeptical of unexpected requests for payments or personal information, especially if the urgency or language seems unusual.
Use Secure Payment Methods: Prefer using secure payment methods offered directly through the Booking.com platform. Avoid making payments through external links or unverified payment portals.
Enable Multifactor Authentication: Where possible, use MFA for your accounts to add an extra layer of security.