The scam, investigated by cyber-security firm Secureworks, involved deployment of the Vidar infostealer to steal a hotel’s Booking.com credentials.
Access to the Booking.com management portal allows the threat actor to see upcoming bookings and directly message guests, according to cybersecurity firm Secureworks.
Booking.com has not been hacked but hackers have devised ways to get into the administration portals of individual hotels which use the service.
Hackers are offering $30 to $2,000 per valid log with additional incentives for regular suppliers.
According to reports, hackers appear to be making so much money in their attacks that they are now offering to pay thousands to criminals who share access to hotel portals.
Discover the stories of your interest
A Booking.com spokesperson said that the company is aware that some of its accommodation partners are being targeted by hackers “using a host of known cyber-fraud tactics”, reports the BBC.Secureworks incident responders noted that the threat actor initiated contact by emailing a member of the hotel’s operations staff.
“The sender claimed to be a former guest who had lost an identification document (ID), and they requested the recipient’s assistance in finding it. The email did not include an attachment or malicious links, and it was likely intended to gain the recipient’s trust,” the security team noted.
With no reason to be suspicious, the employee responded to the email and requested additional information to assist the sender.
Later, the threat actor sent another email about the lost ID. The sender identified the document as a passport and stated that they strongly believed they left it at the hotel.
When the recipient clicked the link in the email, a ZIP archive file was downloaded to the computer’s desktop.
“Microsoft Defender identified a file within this archive as the Vidar infostealer. Microsoft Defender detected multiple failed execution attempts before the malware finally executed,” the researchers informed.
Secureworks researchers analysed the contents of this file and confirmed that it is the Vidar infostealer. This Vidar sample is configured to only steal passwords.
“This activity originally appeared to suggest that Booking.com’s systems were compromised. However, the observations by Secureworks incident responders indicate that threat actors likely stole credentials to the admin.booking. com property management portal directly from the properties and used the access to target the properties’ customers,” the team said.
–IANS
na/dpb