GoKawiilTravelers’ information and booking details may have been stolen from hundreds of hotels around the world, according to new findings from security researchers. These swiped trip details, such as booking names and reservation information, are then being repurposed by cybercriminals to create highly targeted phishing messages used to steal credit card information.
At least 350 hotels, vacation rentals, motels, and guesthouses in 50 different countries have been caught up in so-called reservation hijacking scams, according to an analysis of phishing messages and cybercriminal infrastructure by security company Norton. Researchers say the use of legitimate booking information in phishing messages may increase the chances that someone clicks on a fraudulent link and hands over other sensitive details to criminals.
“This is really targeted,” says Luis Corrons, who led the research by Norton’s parent company, Gen. Phishing websites the company analyzed included hotel names, differing prices for each victim, with specific check-in and check-out details being added to the pages. “It’s spear phishing targeted to the specific victim with the real details of the reservation.”
Across the data analyzed by the researchers, Germany appeared to have the most hotels that could have had customer data compromised, followed by France, the UK, Italy, Spain, and the US. The 350 accommodations named in the scam SMS, WhatsApp, and email messages have capacity for around 80,000 guests at their peak, the researchers estimate. “Most of the accommodations are not big, they are small- and medium-size hotels,” says Corrons.
While attempts to hack into hotel systems to gather customer booking information have been around for years, the findings come as cybercriminals are continually expanding and developing the “phishing-as-a-service” software they use to send millions of delivery and toll scam messages every month. These phishing kits continually add new lures to trick people into clicking malicious links, and can impersonate dozens of global brands. Last year, Americans lost more than $200 million as a result of successful phishing attempts, according to recently published FBI data.
Norton started its investigations into hotel-linked fraud in December, after identifying a realistic-looking phishing message. The message, sent on WhatsApp from an account impersonating holiday website Booking.com, said it was from a specific hotel and listed the dates of an upcoming reservation, before asking the individual to click a link and confirm their details. The link led to a false website and included a chatbot that would instantly share any entered details, such as credit card information, with the hackers.
Hackers could obtain people’s specific vacation booking details from a variety of places, including accessing hotel systems after sending them phishing messages or through third-party booking services. For example, hackers could send malware-laced emails or files to hotels to try to get their login details, rather than systems containing vulnerabilities that are exploited by cybercriminals. Previous research by Norton published in March mentions both Booking.com and hotel-management-system CloudBeds. “We have been able to get some of the messages that are received by the accommodation staff to get them phished,” Corrons says.