Scamsters are found to be using a range of techniques including phishing, infostealers, and social engineering to cheat several customers of Booking.com, as per an investigation carried out by cybersecurity firm SecureWorks.
Booking.com customers from the UK, Indonesia, Singapore, Greece, Italy, Portugal, the US, and the Netherlands, have been impacted, according to a BBC report. The extent of the damage is as yet unclear. Amsterdam-based Booking.com is one of the largest global companies offering a range of travel solutions.
Understanding the modus operandi
The cyberattackers deployed Vidar infostealer to gain access to a hotel’s Booking.com management portal, the investigation by SecureWorks revealed. Hackers tricked the hotel staff into downloading Vidar by sending an email pretending to be from a former guest who had left a passport in their room. Typically, the email included a Google Drive link, allegedly containing images of the passport.
However, the link downloads the malware, which steals the information needed to access Booking.com. Once the hackers log on to the booking.com website, they are able to access information about customers who have hotel or holiday reservations. The hackers use this information to directly message the customers and trick them into paying money to them instead of to the hotel.
“This activity originally appeared to suggest that Booking.com’s systems were compromised. However, the observations by SecureWorks incident responders indicate that threat actors likely stole credentials to the admin.booking.com property management portal directly from the properties and used the access to target the properties’ customers,” the SecureWorks blog said.
A bigger campaign?
The hackers are “making so much money in their attacks that they are now offering to pay thousands to criminals who share access to hotel portals,” the BBC report said.
This cyberattack may be part of a bigger fraud campaign against Booking.com’s partners. Singapore-based The Straits Times recently revealed that at least 30 people who had made hotel bookings on Booking.com ended up losing a total of $41,000. Typically, they received fraudulent links asking them to reveal their crucial personal and banking details, including credit card details and one-time passwords. Some victims were also asked to make payments on fraudulent links.
Innovative use of Vidar
Vidar is primarily used as an infostealer and is usually typically delivered via email. SecureWorks concedes that the use of Vidar in a targeted campaign is rare. It is usually used to collect financial and sensitive data from the infected machine, including account credentials, credit card data, and browser history. This information is then sold in the market. It is also available as a malware-as-a-service to malicious elements to carry out their operations.
A key reason for the success of this attack is that Booking.com has not enabled multifactor authentication (MFA), which makes it easy for the threat actors to log into the account with the stolen credentials.
“Implementing MFA on Booking.com accounts would likely thwart most unauthorized attempts to access the property management portal,” the SecureWorks blog said.
However, it is debatable if MFA would have been enough to prevent attacks. Last year, the Microsoft Detection and Response Team (DART) revealed that as a growing number of organizations have started adopting MFA as a proactive measure to prevent cyber-attacks, malicious elements have started using token theft to circumvent this.
“By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly,” the Microsoft blog said.
Organizations must adopt the latest security measures and educate their users to mitigate the growing threat of cyberattacks.