Booking.com customers are being targeted by a novel social engineering campaign, which is “paying serious dividends” for cybercriminals, according to new research by Secureworks.
The researchers said the campaign, which they believe has been running for at least a year, begins by deploying the Vidar infostealer to gain access partner hotels’ Booking.com credentials. This information is then used to send phishing emails to Booking.com customers and trick them into handing over their payment details, in many cases leading to money being stolen.
The scam is proving so fruitful that sales of Booking.com portal credentials are commanding sale prices of up to $2000 in two cybercrime forums, according to the researchers.
How the Scam Works
In an October 2023 attack investigated by Secureworks, the threat actor initially emailed a member of the hotel’s operations staff requesting help to find an ID document they claimed to have lost. The message did not include an attachment or malicious links.
With no reason to be suspicious, the employee responded to the email and requested additional information to help them assist the fake customer.
Later that week, the threat actor emailed back, identifying the ID as a passport and stating that they strongly believed they had left it at the hotel. They included a link to a Google Drive URL that purportedly hosted photos of the passport and the guest’s check-in details.
No tags.
