Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
“We cannot definitively say that every phishing message we observed was caused by a direct hack into the hotel’s internal systems,” the researcher says. It is possible for phishing messages to be sent using information from other data breaches or systems unrelated to the travel industry. “The common thread is that criminals weaponize real booking context and push travelers into fake verifications or payment flows,” says Corones.
Corones says Norton has not been able to fully reveal who might be behind the attacks, but says the investigation is continuing. Those sending some phishing messages appear to be using phishing kits designed to speed up and automate the process of sending and collecting information, he says, and in many cases the same phishing kit or technical infrastructure was used. Corones says the company does not publish the full list of hotels and accommodations potentially at risk; However, he says the company has been in contact with Europol about its findings.
A Europol spokesman declined to comment, saying it does not discuss its operational activity.
“We continue to strengthen our defenses to reduce risks and limit opportunities for bad actors to target our accommodation partners and customers, and we are seeing the results,” says a Booking.com spokesperson.
Cloudbeds says the company was not hacked and that the attacks described by Norton researchers are credential phishing campaigns that target hotel employees and then customers. “The reason these scams are so effective is because the attacker can’t guess: they know exactly who the guest is, when they arrived, and what they paid,” says Aaron Ownby, vice president of engineering at Cloudbeds.
Attempts to hack hotels and use customer data to launch phishing attacks have been around for years. Throughout the travel industry, hotels often use a combination of different property management software or systems that allow people to make reservations through third-party companies. At the same time, employees can easily manage customers’ key details and reservations. “The hospitality industry needs to collectively raise the security baseline – better training for front desk staff, broader adoption of phishing-resistant authentication, and stricter controls on how guest data is accessed and exported from any platform,” says Ownby.
Smaller hotels are less likely to implement security best practices, such as multi-factor authentication for employees, says Don Smith, vice president of threat research at security firm Sophos, who has worked with companies in the travel industry.
For example, in One incident dealt with by Sophosa cybercriminal emailed a hotel saying they lost their passport during a recent stay. In a follow-up message, the attacker included a link to a passport photo; However, when I clicked on it, a file including the Vidar file was downloaded Information thiefwhich can collect login details from an infected computer. Days after the malware was published, fraudulent messages were sent to customers from the hotel’s Booking.com account, with people complaining about losing their money.
“Threat actors like context because context makes the phishing lure more compelling,” Smith says. “It’s very difficult not to simply react and click something to remove an element of stress from what can be a stressful travel experience.”
Norton’s Corones says including real information in phishing messages can make it more difficult to determine what’s legitimate and what’s a scam. If in doubt, he says, reach out directly to the hotel or vacation rental through another means of communication. “Even if the data in the message is real, it doesn’t mean you can trust the message,” he says.
