Scammers Use Your Real Hotel Bookings for Spear-Phishing Attacks
▼ Summary
– Security researchers found that travelers’ booking details from over 350 hotels in 50 countries were stolen and used in targeted phishing scams to steal credit card information.
– Norton’s analysis revealed phishing messages included real reservation details like check-in dates and prices, making them highly convincing “spear phishing” attacks.
– Germany had the most affected hotels, followed by France, the UK, Italy, Spain, and the US, with most being small- to medium-sized accommodations.
– Cybercriminals are expanding “phishing-as-a-service” software, which impersonates brands and sends millions of scam messages; Americans lost over $200 million to phishing in the past year.
– Hackers obtain booking data by accessing hotel systems through phishing emails to staff or exploiting third-party services, as seen in Norton’s investigation of a fake Booking.com WhatsApp message.
Travelers across the globe are being targeted in a new wave of highly personalized spear-phishing attacks that weaponize their real hotel booking details. Security researchers have uncovered that cybercriminals are stealing reservation information , including names, check-in dates, and hotel names , from hundreds of hotels, then using that data to craft fraudulent messages that trick victims into handing over their credit card details.
An investigation by security firm Norton analyzed phishing messages and the infrastructure behind them, revealing that at least 350 hotels, vacation rentals, motels, and guesthouses across 50 countries have been caught in what the researchers call “reservation hijacking” scams. The use of authentic booking information makes these messages far more convincing, increasing the odds that a recipient will click a malicious link. “This is really targeted,” says Luis Corrons, who led the research for Norton’s parent company, Gen. “It’s spear phishing targeted to the specific victim with the real details of the reservation.” The phishing websites the team examined even displayed the victim’s exact check-in and check-out dates, along with hotel-specific pricing.
Germany had the highest number of hotels potentially affected, followed by France, the UK, Italy, Spain, and the US. The 350 compromised accommodations have a combined peak capacity of roughly 80,000 guests, according to the researchers. Corrons notes that the majority of these properties are small- to medium-sized hotels, not large chains.
While hotel system breaches have been a persistent threat for years, this discovery comes as cybercriminals continue to expand their “phishing-as-a-service” toolkits. These kits are used to blast millions of delivery and toll scam messages each month, constantly adding new lures to impersonate dozens of global brands. The FBI reports that Americans lost over $200 million to successful phishing attempts last year.
Norton’s investigation began in December after researchers spotted a particularly realistic phishing message. Sent via WhatsApp from an account posing as Booking.com, the message appeared to come from a specific hotel and listed the dates of an upcoming reservation. It urged the recipient to click a link and confirm their details. That link led to a fake website equipped with a chatbot that instantly forwarded any entered information , including credit card numbers , directly to the hackers.
Hackers can obtain these booking details through several methods. They may gain access to hotel systems by sending phishing messages to staff or by compromising third-party booking services. In some cases, attackers send malware-laced emails or files to hotel employees in an attempt to steal login credentials, rather than exploiting system vulnerabilities. “We have been able to get some of the messages that are received by the accommodation staff to get them phished,” Corrons says. Earlier research from Norton, published in March, specifically mentioned both Booking.com and the hotel-management platform CloudBeds as potential vectors for these attacks.
(Source: Wired)
