This security blog from Akamai gives further details of infostealer malware affecting the hospitality industryI'm not convinced that's how it works. The property never gets the guest's email address, they only see a randomised @booking.com address. All messages between the property and the guest go through Booking.com. If Booking.com are still allowing malware infected attachments through after all this time then I have to assume that they're in on it.
At least that's how it works with the property I mentioned above.
Introduction
Despite the widespread awareness of phishing, it is still one of the most successful and ubiquitous attack vectors in the vast landscape of cyberthreats. Phishing campaigns come in various forms and have continued to evolve as new potential mediums arise. From emails that impersonate banks to text messages that mimic delivery notifications to malicious code embedded into a photo of a kitten, phishing can affect anyone with access to a computer.
One of the most recently discovered delivery methods is the sophisticated infostealer that targets the hospitality industry through online booking services. A malicious actor makes a booking request, choosing the “pay at hotel” option, and sends the hotel a series of urgent and seemingly heartfelt emails with links to “photos” that are an executable infostealer.
Although this particular version was aimed at the hotels, our SecOps team has detected a second stage of this sophisticated phishing campaign, which then targets the legitimate customers of these sites.
As the holiday travel season approaches, there is no better time to be wary of this phishing method. In this blog post, we detail some of our observations and share recommendations for staying safe online.
Attack chain
The attack chain consists of three steps: executing the infostealer, contacting the victim, and catching the victim.
Step 1: Executing the infostealer
After the infostealer is executed on the original target (the hotel), the attacker can access messaging with legitimate customers. It is often recommended that customers use only official and known methods of communication, such as various messaging platforms within the site, to prevent illegitimate or scam interactions. Unfortunately, this great advice becomes moot now that the attacker can access those methods.
Step 2: Contacting the victim
Now that the attacker has direct and trusted access, a message is sent to the intended victim. This message follows a typical phishing modus operandi: urgent, requiring immediate action, and fear-invoking. It is written professionally and modeled after genuine hotel interactions with their guests, which creates even more trust for the recipient.
It is important to remember that this message comes from within the booking site’s message platform itself. If this were an email from an unknown sender, it likely would be ignored, but since this is a direct message from within the booking site itself, it seems legitimate and trustworthy. Attackers show both persistence and spreadability across multiple campaigns.
Step 3: Catching the victim
The message contains an illegitimate link claiming to be an additional card verification to ensure the booking isn’t canceled. The victim, clearly wanting to keep the reservation, complies with the terms outlined in the message and clicks the link. This link triggers an executable on the victim’s machine encoded in a complex JavaScript Base64 script.
(Article continues with further technical detail)