Hospitality Hackers Target Hotels' Booking.com Logins

Cyberattackers are checking into the accounts of Booking.com's hotel partners, hoping to steal their visitor data.

Booking.com app on a mobile phone with map in the background
Source: Aleksey Zotov via Alamy Stock Photo

Cyberattackers are hitting the digital road, looking to make some virtual stops at various hotels that contract with Booking.com to sell rooms. The idea is to phish the hotels' backend Booking.com logins, with the aim of taking over the accounts and ultimately harvesting data on the hotels' customers.

According to an analysis from Perception Point on the campaign, the threat actors are significantly innovating in their tactics, by focusing on specific industry practices and relationships to conduct targeted and compelling phishing attacks.

For instance, many of the phishing messages are to hotel managers, claiming that former guests are writing scathing reviews of the property online. The emails encourage the hotels to log on and reply to the complaints, and helpfully they contain a "Reply to Complaint" link.

Once duped into clicking, recipients are directed to a fake but very convincing-looking Booking.com website, complete with a believable URL (hxxps://account[.]booking-sign[.]com/sign-in?op_token=vNGgY0o3sJ8LRVeu). The targets are asked to enter their passwords on the site, and the attackers are home free.

In variations of the campaign, targets are asked to log into Booking.com's property management portal, Extranet, or else risk account deactivation; or, the messages purport to come from future guests, asking for reservation confirmations "through the app."

"The campaigns demonstrate a deep understanding of the hotel industry's processes and customer interactions," explains Peleg Cabra, senior product marketing manager at Perception Point. "The use of personalized, context-aware tactics to compromise hotel accounts in addition to the trusted Booking.com channel to scam guests is particularly novel."

Also notable: Contrary to recent "white whale" attacks on MGM Grand and Caesar's Palace, "the ongoing phishing campaign involving Booking.com is spread much wider and targets hotels of all sizes," Cabra says. "This approach indicates a strategic shift by cybercriminals towards exploiting smaller, potentially less secure networks within the hospitality sector, which may not have the same level of cybersecurity resources as larger chains."

No Reservations About Follow-On Cyberattacks

Once the attackers have access to a hotel's Booking.com profile, the larger aim is "to execute mass phishing campaigns against hotel guests," according to Perception Point's report. "By possessing hotels' Booking.com credentials, attackers are privy to guest information …While it is certainly useful to hack a hotel, the real payload lies in the customer data."

Cabra notes that successful phishers can indeed land themselves a rich prize — the data in question is quite meaty.

"The travel industry … retains complete legal names for reservations, communicate with customers through email for confirmations, and store credit card details for extended periods, often months or even years (corporate, industry, and large events) before the scheduled stay," he says. "Many hotel chains run loyalty programs. These programs require not only contact information including the name of the member, their address and phone number but also credit card details and other personal information like birthday dates and anniversaries, holding these sensitive details for long periods of time."

This trove of detailed data can help make the second-stage follow-on attacks on the hotel's customers as believable as possible, he adds.

"When combined with phishing kits, the attacks are personalized and convincing to an unprecedented degree," he says. "They leverage specific details like the individual's hotel bookings, the pricing, and customer data. This level of personalization, combined with the intrinsic trust within the hotel-customer relationship, makes these attacks extremely challenging to detect and therefore highly effective."

Cyber Defense Must Evolve With Hospitality Attack Sophistication

Cabra notes that the most interesting and novel aspect of this attack is the sophistication and multi-layered nature of the phishing campaigns; they demonstrate significant evolution when it comes to social engineering.

"The evolution of phishing efforts, as evidenced in these campaigns, highlights a worrying trend towards more sophisticated and highly targeted attacks," he explains. "The incorporation of Generative AI (GenAI) in these [phishing] schemes helps create believable, context-rich messages."

In turn, this necessitates a corresponding advancement in cybersecurity strategies and security awareness training programs, starting with the basics.

"Cultivate a culture of skepticism: Don't just trust; verify," he says. "Always confirm the identity of anyone requesting sensitive information or access to internal systems. A quick phone call or secondary email can go a long way in establishing legitimacy."

Beyond that, investing in robust email and browser security solutions, and regularly checking the efficacy of hotel security stacks, should be on the to-do list, he says.

"Make sure that your email security solution has LLM-based sentiment analysis, anti-evasion, and next-gen dynamic detection," according to Cabra. "[And] protecting the enterprise browser with a layer of security can stop malicious downloads, and access to malicious sites via any SaaS or collaboration app."

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights