{"id":50109,"date":"2023-12-22T10:13:25","date_gmt":"2023-12-22T15:13:25","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=50109"},"modified":"2023-12-22T10:13:25","modified_gmt":"2023-12-22T15:13:25","slug":"booking-com-hacked-hotel-accounts-scam-customers","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/booking-com-hacked-hotel-accounts-scam-customers\/50109\/","title":{"rendered":"Hacked hotel accounts on Booking.com"},"content":{"rendered":"

This season, a new attack scheme is proving very popular with cybercriminals: scamming Booking.com clients through the service\u2019s internal messaging system. To do this, they use compromised hotel accounts on admin.booking.com. Over the past few months, various companies have released<\/a> studies on incidents<\/a> of this nature<\/a>. Here\u2019s a detailed breakdown of how this attack works, and tips on how hotel owners and staff can protect themselves (and their clients).<\/p>\n

Infecting hotel staff computers with a password stealer<\/h2>\n

What we\u2019re dealing with here is a multi-stage attack \u2014 B2B2C, if you will. It all starts with infecting hotel computers, but the immediate threat isn\u2019t to the hotel itself \u2014 it\u2019s to the clients.<\/p>\n

To hijack accounts on admin.booking.com, attackers use specialized malware known as password stealers. Typically, these stealers collect any passwords found on an infected computer. But in this case it seems that Booking.com accounts are what the cybercriminals are specifically interested in.<\/p>\n

In particular, one of the abovementioned studies describes<\/a> a targeted email attack on hotel staff. This attack starts with an innocuous email in which someone poses as a recent guest and asks the hotel staff for help in finding lost documents.<\/p>\n

\"Email<\/a>

The first email from the attackers to the targeted hotel. Source<\/a><\/p><\/div>\n

In the next email, the \u201cguest\u201d claims to have searched everywhere for the lost passport or whatever to no avail, suggesting the hotel is the only possible place where it might be. So, they ask the hotel staff to look for it and, to help the search, provide a link supposedly containing photos of the lost passport.<\/p>\n

\"Second<\/a>

The next email from the attackers, containing a link to an infected archive with a password stealer. Source<\/a><\/p><\/div>\n

As you might suspect, this archive contains not the photos of the passport, but the password stealer. After the user clicks on the dangerous file, the stealer searches the system for saved login credentials for the hotel\u2019s account on admin.booking.com, and sends them to the attackers.<\/p>\n

\"Cybercriminals<\/a>

Using a stolen login and password, the cybercriminals gain access to the hotel\u2019s account on admin.booking.com.<\/p><\/div>\n

Another study<\/a> on the Booking.com account theft epidemic describes an alternative method of infecting hotel staff computers. In this attack, criminals create reservations using guest accounts (in some cases, probably stolen accounts). They then contact the hotel using Booking.com\u2019s internal messaging system and, under one pretext or another, slip in a link to a malware-infected file \u2014 with the exact same outcome as in the previous case.<\/p>\n

Stealing hotel accounts on Booking.com and emailing clients<\/h2>\n

At the next stage, the attackers proceed to directly use the accounts stolen from the infected hotel computers. Everything is made a lot simpler by the fact that Booking.com\u2019s service doesn\u2019t provide two-factor authentication, so accessing an account only requires a login and password.<\/p>\n

Upon entering the hotel\u2019s account on admin.booking.com, the criminals study current bookings and begin sending messages to future guests using Booking.com\u2019s internal messaging system. These messages generally revolve around an error in verifying the guest\u2019s payment card information provided during the booking. The \u201chotel\u201d thus asks the guest to re-enter their card details; otherwise, the reservation will be canceled.<\/p>\n

Of course, the messages include links that at first glance appear to resemble genuine links to Booking.com\u2019s booking pages. They contain the word \u201cbooking\u201d itself, something resembling a booking number, and in some cases, additional words like \u201creservation\u201d, \u201capprove\u201d, \u201cconfirmation\u201d, and so on.<\/p>\n

Of course, upon closer inspection, it\u2019s easy to see that these links don\u2019t lead to Booking.com at all. However, the aim here is to target hasty individuals who, unexpectedly discovering that their planned trip could be ruined, rush to rectify the situation.<\/p>\n

\"Fraud<\/a>

] Through Booking.com\u2019s internal messaging system, scammers send hotel clients links to fake booking pages. Source 1<\/a>, source 2<\/a>, source 3<\/a>, source 4<\/a><\/p><\/div>\n

The messages are written in a professional tone and appear quite plausible. It should also be noted that the text of such messages varies considerably from one<\/a> described incident to another<\/a>. Apparently, a number of criminals are using this scheme independently of each other.<\/p>\n

Fake copies of Booking.com and stealing bank card data<\/h2>\n

The final stage of the attack ensues. By clicking on the link in the message, the hotel\u2019s client lands on a fake page \u2014 a meticulous copy of Booking.com. These pages even display the correct guest name, information about the hotel where the victim intends to stay, dates, and price \u2014 all of which the scammers know because they have access to all the booking data.<\/p>\n

The only thing that gives it away is the link in the address bar. However, the scammers distract the victim from paying attention to such minor details by rushing them: the page claims that these dates are in high demand, so \u201c10 four-star hotels similar to this one are already unavailable\u201d. The implication, of course, is that if this booking fails, finding alternative accommodation won\u2019t be easy.<\/p>\n

\"Fake<\/a>

On the fake Booking.com page, the client of the hacked hotel is asked to enter their card number to reconfirm the reservation. Source<\/a><\/p><\/div>\n

The victims are urged once again to confirm the booking as quickly as possible. Moreover, it\u2019s easy to do: just re-enter the payment information. Obviously, the card details then fall into the hands of the criminals \u2014 mission accomplished.<\/p>\n

Selling hotel logins and passwords for Booking.com<\/h2>\n

It\u2019s worth mentioning that here, as in almost any other cybercriminal scheme, we see a tendency for narrow specialization. Apparently, some criminals collect hacked Booking.com accounts, while others exploit these accounts to deceive hotel clients. In any case, advertisements offering substantial sums for logins and passwords from admin.booking.com accounts can be found on hacker forums.<\/p>\n

\"Offer<\/a>

Listing on an underground forum, where the authors are willing to pay generously for hacked Booking.com hotel accounts. Source<\/a><\/p><\/div>\n

\"Another<\/a>

Another listing offering decent money for hacked admin.booking.com accounts. Source<\/a><\/p><\/div>\n

Yet another group of criminals, providing subscription-based services to search for stolen credentials in stealer malware databases, have recently added admin.booking.com to their list of searchable data.<\/p>\n

\"Announcement<\/a>

One of the services offering paid searches across databases of stolen passwords has learned to function with admin.booking.com accounts. Source<\/a><\/p><\/div>\n

All of this suggests that the popularity of this criminal scheme is only growing; therefore, there\u2019ll likely be more hacks of hotel accounts on Booking.com and more affected clients in the future.<\/p>\n

How to protect against theft of admin.booking.com accounts<\/h2>\n

Even though these attacks directly threaten hotel clients rather than the hotels themselves, the hotels still have to deal with the backlash and somehow compensate the affected parties to avoid any reputational damage. And in general, hotel computers getting infected is bad news \u2014 today, cybercriminals are hijacking Booking.com accounts; tomorrow they\u2019ll come up with another way to monetize this infection. Therefore, it\u2019s absolutely necessary to protect against this threat. Here\u2019s what to keep in mind:<\/p>\n