This security blog from Akamai gives further details of infostealer malware affecting the hospitality industry
(Article continues with further technical detail)
-
Our booking engine at tickets.railforums.co.uk (powered by TrainSplit) helps support the running of the forum with every ticket purchase! Find out more and ask any questions/give us feedback in this thread!
A scam phone calls and emails discussion.
- Thread starter S&CLER
- Start date
(Article continues with further technical detail)
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R
RailUK Forums
With reference to the section you bolded:
That's why I said that if Booking.com are still allowing this through their system then the scammers have someone on the inside. It's trivially easy for them to block hazardous attachments.
Howardh
Established Member
- Joined
- 17 May 2011
- Messages
- 8,214
Does look like it's worked. Happily once gone through the two factor you can "trust" your device so no need to log in every time.
I checked today and I'm even less convinced that that explanation holds water. When a guest sends a message, the property receives an email notification, but to actually read the message they have to log in to the Booking.com website.
I can't rule out that some properties can receive message directly from guests, but my friend's can't and they were a victim of the scam despite never receiving any message with an attachment.
Interestingly, they received a message from Booking saying that the guest I referenced earlier wanted a refund of the £1,200 that they got diddled for despite it clearly having nothing to do with them. The guest had provided a bank statement showing that the transaction was processed online in Bulgarian Lev.
Needless to say, Booking.com got told that under no circumstances would my friend be paying for their lax security!
Last edited:
That's interesting, I don't think the exact attack vector has been pinned down but as this isn't a cyber security forum the key takeaway for the general reader is that (i) it is possible for hackers to infiltrate a platform such as booking.com via compromised credentials and (ii) use that access to send malicious communications to customers which appear legitimate because they are sent via the platform's official app and messaging service. So be on guard folks!
Couldn't agree more.
Howardh
Established Member
- Joined
- 17 May 2011
- Messages
- 8,214
If the scam was paid by credit card, shouldn't the victim be protected? They would be if the hotel went bust, but what about crime?
The document provided was in Mandarin so I can't be sure about it, but it looked more like a bank statement than a credit card statement, so I'm guessing it was paid using a debit card.
Usually credit card companies will indemnify their customer against things like skimming or websites that get hacked, not sure what their position is with online transactions where you 'willingly' enter your details.
4COR
Member
- Joined
- 30 Jan 2019
- Messages
- 462
Interesting related story in BBC re: Booking.com and cybercriminals: https://www.bbc.co.uk/news/technology-67583486
It doesn't appear to be an issue within the system, but more a loss of credentials by the hotels and associated scamming of customers....
It doesn't appear to be an issue within the system, but more a loss of credentials by the hotels and associated scamming of customers....
Old Yard Dog
Established Member
- Joined
- 21 Aug 2011
- Messages
- 1,486
Sorry if this has been raised already in this thread but 60 pages are a lot to go through ...
Why do telecom companies allow callers to display false numbers rather than the number they are actually calling from? How difficult would it to be stop this facility?
And why do banks allow money to be paid into accounts obviously run by scammers?
Why do telecom companies allow callers to display false numbers rather than the number they are actually calling from? How difficult would it to be stop this facility?
And why do banks allow money to be paid into accounts obviously run by scammers?
Xenophon PCDGS
Veteran Member
Is it the case that any call actually made by BT to a customer will have an 0800 prefix to its number?
Mcr Warrior
Veteran Member
- Joined
- 8 Jan 2009
- Messages
- 11,975
Indeed, but number spoofing is not necessarily illegal in the U.K., is it? Perhaps it should be, as, I believe is the case in the U.S.
Xenophon PCDGS
Veteran Member
Is this something in power of HM Government to enforce?
I'm sure we've discussed it upthread where I think the conclusion was that number spoofing is trivially easy with traditional copper-based landlines but technically much harder in a digital voice system - ironically given recent posts!
The problem when it comes to enforcement is how, practically, that enforcement is going to work. Especially where said criminals are being sheltered by hostile regimes who are actively seeking to disrupt and destabilise the West and don't care two hoots about the victims in those territories who are scammed.
The problem when it comes to enforcement is how, practically, that enforcement is going to work. Especially where said criminals are being sheltered by hostile regimes who are actively seeking to disrupt and destabilise the West and don't care two hoots about the victims in those territories who are scammed.
Buzby
Member
Because all phone numbers are ‘virtual’ - or became so after System X and AXE10 Exchanges began rolling out in the mid 70’s. The old numbers were mapped to a line identity at the exchange, which was also used for billing. Fully digital lines of end users with ISDN would be given a ‘block’ of numbers. 30 if it was ISDN 30, 10 if ISDN 2 (or 2e). The customer could decide what number(s) to use, just 1 - for Call centre use, or anything from the allocated range - this allowed DDI (Direct Dialling In) to PABX’s that did away with switchboard. Unscrupulous firms found that they could make their PABX show (‘present’ in the parlance) not just their allocated line numbers, but anything at all - this was to facilitate 0800, 0345 or any other number that could be routed to the firm. Meanwhile, the analogue PSTN was locked down, with no ability for the renter to change the line number shown - only cause it not to be shown to other analogue customers (Firms with ISDN lines got the number anyway with a flag saying ‘do not display’)
There can be many legitimate reasons why a ’false’ number needs to be used - a hospital ward calling out should show its main number for returning calls. The days of ‘withheld’ numbers are universally disliked, as ACR (Anonymous Call Rejection) saw to that. The signalling standard for digital lines allowed for it - across the world - so inbound calls from India or the Philippines whether genuine or fake, can have any number programmed into it - even VOIP ‘soft’ phones let you select what number your call recipients will see. I agree it’s not ideal, but even the bank card scams - where the real number is spoofed is no reason to accept it at face value, and the public needs to realise this.
By the time it becomes evident that the account is being used for fraudulent purposes, the money has been sent through a dozen other accounts and can't be traced.
More often than not the banks are abroad, and don't care.
They care, it's just very difficult to do anything about given the speed with which the money can get spirited through several intermediate accounts.
Buzby
Member
Anyone remember the ‘London’ Bank BCCI? They had the plug pulled on their activities - but really just the tip of the iceberg.
Mcr Warrior
Veteran Member
- Joined
- 8 Jan 2009
- Messages
- 11,975
'BCCI', sometimes referred to as the "Bank of Crooks and Criminals International". Ostensibly Luxembourg registered, but with head offices in London and Karachi. Failed dramatically in 1991. Generally acknowledged to be perhaps the most poorly regulated, money-laundering 'bank' ever.
And the fact that they were shut down is an example of why most banks care about not knowingly assisting fraudsters.
I remember BCCI. I had one of their credit cards. If you were a radio amateur and a RSGB member you could get a card with your callsign on it. I met another amateur who also had one and used it on the day that they were shut down to pay for lunch for him and clients of his business. He said he never received a bill for the meal. Being in meetings and a restaurant he had no idea anything had happened.
Another London address to give and I assume it has a house number. On Eastern Avenue Ilford just before the Redbridge roundabout and the A406. There is a building between two rows of terraced houses. Which is a sub station for the central line.
Another London address to give and I assume it has a house number. On Eastern Avenue Ilford just before the Redbridge roundabout and the A406. There is a building between two rows of terraced houses. Which is a sub station for the central line.
That's a rosy view. I have followed the scam issue quite a bit and there are certain countries where scammers prefer to deposit their gains. Thailand and the Philippines are favourites - the scammers are not necessarily based there themselves, in fact they are usually not, but if the banks do care and act then I guess that some do so at a different level from others. It is part of the scammers' obfuscation not to use a bank in their own country as a first stage, and in case of scams using gift cards, the scammers employ mules to deposit the cards in the banking nation.
The banks do care, in as much as it's in their interests to retain the ability to do business internationally. So they need to ensure that they are doing enough to be able to tick the necessary boxes so that they don't get kicked out of inter-bank agreements like SWIFT.
Mcr Warrior
Veteran Member
- Joined
- 8 Jan 2009
- Messages
- 11,975
Puerto Rico if correct. Probably isn't though.
Should be 001917 if it was from Puerto Rico, since they're part of the North American Number Plan.Puerto Rico if correct. Probably isn't though.
Mcr Warrior
Veteran Member
- Joined
- 8 Jan 2009
- Messages
- 11,975
Thanks for clarifying. Almost certainly a wrong 'un.
londonbridge
Established Member
- Joined
- 30 Jun 2010
- Messages
- 1,478
Here’s a new one I’ve not had before, an email telling me my Disney+ account has expired (I don’t have one), but I can extend for free for ninety days as part of the loyalty programme. Of course, they need my credit card details to verify my account.
Looked on the Disney website for an address to forward phishing emails to for their attention, but looks like they don’t have one as the help page just says delete the email and don’t click any links.
Looked on the Disney website for an address to forward phishing emails to for their attention, but looks like they don’t have one as the help page just says delete the email and don’t click any links.