In a disturbing trend, hackers are intensifying their assaults on Booking.com users, utilizing dark web forums to seek assistance in locating potential victims. Cyber-criminals are enticing with rewards of up to $2,000 (£1,600) for hotel login credentials, exploiting unsuspecting customers since at least March.
Despite Booking.com being one of the leading platforms for holidaymakers, reports of fraud have surfaced from customers in the UK, Indonesia, Singapore, Greece, Italy, Portugal, the US, and the Netherlands. While Booking.com itself has not been compromised, cyber-security experts reveal that hackers are infiltrating individual hotels’ administration portals linked to the service.
A spokesperson from Booking.com acknowledged the targeted attacks, stating that some accommodation partners are falling victim to hackers utilizing various well-known cyber-fraud techniques.
Research conducted by cyber-security firm Secureworks sheds light on the clandestine methods employed by these hackers. The attackers initiate their scheme by tricking hotel staff into downloading a malicious software called Vidar Infostealer. Posing as former guests, they send emails to hotels, alleging that they left their passport in the room. The email contains a Google Drive link supposedly containing an image of the passport, but instead downloads malware onto staff computers, scanning for Booking.com access.
Once inside the Booking.com portal, hackers gain visibility into all customers with current room or holiday reservations. Using the official app, they then contact customers and manipulate them into making payments directly to the hackers rather than the hotel.
The financial success of these attacks is evident as hackers are now offering substantial sums to criminals who share access to hotel portals. Rafe Pilling, director of threat intelligence for Secureworks Counter Threat Unit, states, “The scam is working and it’s paying serious dividends,” attributing its success to the high rate of social engineering effectiveness.
Victims like Lucy Buckley have fallen prey to this scheme. Contacted through the Booking.com app, hackers convinced her to send £200, claiming to be staff at the Paris hotel where she booked a room. Fortunately, she managed to secure a refund after realizing the deception.
In response to the growing threat, cyber-security expert Graham Cluley suggests that Booking.com hotels implement multi-factor authentication to bolster security. He emphasizes that the platform could do more, such as restricting links in chat that lead to websites less than a few days old, preventing the use of freshly-created fake sites to deceive customers into making payments.