Booking.com users are falling victim to a scam orchestrated by hackers who sell stolen account details on the dark web, according to cyber security company SecureWorks.
These cybercriminals offer Booking.com credentials on dark web forums for up to $2,000 after exploiting those staying in hotels.
A picture shows screens displaying the logo and the website of the online travel and accommodation services platform Booking.com in Toulouse, southwestern France on January 25, 2023.
Vidar Infostealer Steals Booking.com Credentials
While Booking.com, a popular website for travelers, has not been directly compromised, cyber security experts reveal that the criminals are infiltrating individual hotel administration portals linked with the service.
In a recent report from Secureworks, an October 2023 attack was investigated, revealing the deployment of the Vidar infostealer to steal a hotel's Booking.com credentials.
This breach provided the threat actor access to the Booking.com management portal, allowing them to view upcoming bookings and communicate directly with guests. Secureworks suggests that this incident is part of a larger campaign, indicating a growing demand for these credentials on underground forums.
The attack involved a deceptive email sent by the threat actor to a hotel's operations staff, posing as a former guest who had lost an identification document. The email, seemingly harmless with no attachments or malicious links, aimed to establish trust with the recipient.
The threat actor later sent another email, claiming to have lost a passport at the hotel and providing a Google Drive link with alleged photos of the lost document and check-in details. Upon clicking the link, a ZIP archive file containing the Vidar infostealer was downloaded.
Vidar, not commonly used in targeted attacks, focuses on stealing passwords. The stolen credentials allowed the threat actor to access the hotel's Booking.com account without multi-factor authentication, enabling them to send messages to guests and initiate fraudulent activities.
The compromised credentials were likely part of a broader fraud campaign targeting Booking.com customers and properties, according to Secureworks.
Read Also: Amazon, Expedia, Glassdoor, Others Form Coalition for Trusted Reviews to Combat Fake Reviews
Malicious URLs
Several properties reported instances of customers being defrauded through Booking.com's official messaging mechanism. Threat actors directed victims to malicious URLs to input payment details, which were then used to withdraw money from the victims' accounts.
While the attack initially suggested a compromise in Booking.com's systems, Secureworks found that threat actors stole credentials directly from the admin.booking.com property management portal from properties.
The use of Vidar in a targeted campaign is considered unusual, as it is typically deployed indiscriminately to harvest credentials from web browsers. However, the flexibility of Vidar as a malware-as-a-service (MaaS) operation allows any threat actor to rent it for their purposes, according to Secureworks.
Cybersecurity experts recommend that organizations in the hospitality sector raise awareness among employees about this campaign and remain vigilant against social engineering attacks.
Enforcing multi-factor authentication on Booking.com accounts is suggested to prevent unauthorized access to property management portals. Additionally, individual customers are advised to exercise caution regarding emails or app messages requesting payment details, as they may be part of fraudulent schemes.
Related Article: Phishing Scams Target Eurovision Fans' Hotel Bookings
