Hotel Phishing Attack Imitates Popular Booking Website

Booking.com has once again been used in a new phishing attack aimed at guests booking a hotel in Spain, reports The Register. This news closely follows CERT Poland’s recent report on a malware phishing attack targeting Booking.com and Allegro.pl.

phishing

Photo: YellowJ / Shutterstock

This new attack is unique in its apparent authenticity, according to a reader The Register simply names “Paul,” whose wife was a target of the new attack. This email scam does not appear to use malware or require victims to download additional attachments.

The phishing email closely resembles an actual confirmation email from Booking.com using the email alias [email protected]

Although it is simple enough for a malicious user to display “Booking.com” in an email’s “From” field, this attack also uses specific information from the victim’s recent booking request. The email claims that the victim’s credit card payment did not successfully process and requests a direct transfer to a bank account in Poland.

The Register asked multiple security professionals to speculate on the potential origin of this attack. Malware intelligence analyst Chris Boyd considers social engineering (including direct contact with the hotel itself in order to obtain guest information) a possible method, as the information appears to have been intercepted shortly after the victims booked their stay. Boyd tells The Register that the interception was likely directly targeted at the individual hotel, rather than with travel agent website Booking.com. Analysts are currently unsure whether this scam is related to other recent strings of malware phishing attacks targeting the booking website.

In June, CERT Poland released details of an email trojan attack on Booking.com and auction website Allegro.pl. These scams also contained personalized emails that contacted victims about their recent hotel bookings or auctions (respectively). As both emails contained similar infection methods, CERT believed they were likely part of the same phishing attack. The emails contained the actual web addresses of the websites they were attempting to imitate, as well as official company logos.

These malware attacks attached an MS Word file to each email that, when opened, requested the victims enable macros in order to properly display the document. Once the victim allowed the program to run, it ran a script that eventually launched a Visual Basic password theft application.

Rik Ferguson at Trend Micro believes that the current attack is most likely due to a breach at the Spanish hotel. He concludes that the use of malware is unlikely, due to the user-specific information included in the email. Ferguson envisions three possible scenarios: a breach at the individual hotel’s booking system (most likely), a breach at Booking.com (less likely), or a “man-in-the-middle” attack implementing malware to target major booking websites.

Analysts agree that a Booking.com breach is the least likely option, as the company is legally required to disclose such a security breach and as of yet has not commented on the attack. Ferguson is not certain whether the owner of the Polish bank account is necessarily a knowing participant in the attack. He explains that the account could simply be one of several “mules” meant to throw suspicious eyes off of the payment trail.

The email itself informs the victim of a payment error:

Code: 0125, The card verification value the user gave for the attempted transaction did not match the card verification value on file for the account (This authorization check normally occurs for cardless accounts and for internet and telephone orders.)

The message urges victims not to attempt paying by credit card a second time. Instead, it directs them to send a wire transfer to a bank in Warsaw. The message concludes with a request to send a scanned copy of the payment receipt to the original email address.

The email includes specific personal information such as the victim’s name, the hotel name, the actual booking confirmation number, the number of nights booked (with arrival and departure dates), and the victim’s billing address.