Full Report
A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. We'll also explore an array of cybercrime services aimed at phishers who target hotels that rely on the world's most visited travel website.
Analysis Summary
# Incident Report: Spear-Phishing Attack Via Booking.com Partner Compromise
## Executive Summary
A spear-phishing campaign targeted customers immediately after they made reservations via Booking.com, leveraging credentials stolen from an unnamed California hotel accommodation partner. Attackers used compromised partner accounts to send fraudulent messages within the Booking mobile app, tricking customers into providing payment information on an external phishing site. While Booking.com’s internal systems were not compromised, the incident highlights the risk posed by compromised third-party vendors lacking strong security controls like MFA.
## Incident Details
- **Discovery Date:** Late October 2024 (when the reader's friend received the phishing message).
- **Incident Date:** Late October 2024 (when the targeted phishing occurred; ongoing capability noted since at least March 2023).
- **Affected Organization:** An unnamed California hotel/accommodation partner of Booking.com.
- **Sector:** Travel/Hospitality (e-commerce platform partner).
- **Geography:** California, USA (location of the targeted hotel partner).
## Timeline of Events
### Initial Access
- **Date/Time:** Unspecified, but preceding the customer contact in late October 2024.
- **Vector:** Compromise of the **accommodation partner's** internal systems, likely via malware (as noted in prior similar incidents detailed by SecureWorks).
- **Details:** Attackers gained access to the hotel’s machine, subsequently obtaining access to the hotel's Booking.com partner account credentials.
### Lateral Movement
- The article does not detail lateral movement within the hotel's internal network.
- **Impact Phase:** Attackers used the compromised partner account access to initiate targeted social engineering against customers.
### Data Exfiltration/Impact
- **Impact:** Tricked customers into providing details (potentially including payment data) on a fraudulent website (`guestssecureverification[.]com`).
- **Data Compromised:** Customer reservation details were known to the attacker (used for personalization), and subsequent payment/personal data was solicited via the phishing link.
### Detection & Response
- **Detection:** A close friend of a KrebsOnSecurity reader reported receiving a targeted phishing message shortly after making a reservation.
- **Response Actions (Booking.com):** Confirmed the attack targeted a partner, not their internal systems; stated they required 2FA for partners to access payment details; investigating the incident.
## Attack Methodology
- **Initial Access:** Compromise of an accommodation partner's workstation/network, likely via malware injection (e.g., infostealers mentioned in previous SecureWorks reports).
- **Persistence:** Gaining valid credentials for the partner’s Booking.com account.
- **Privilege Escalation:** Not explicitly detailed, but reliance on stolen partner credentials grants access to partner-specific functionalities.
- **Defense Evasion:** Using legitimate messaging channels within the Booking mobile app (though the communication ultimately directed users off-platform).
- **Credential Access:** Likely via malware compromising the partner's system. A previous pattern involved the Vidar infostealer.
- **Discovery:** Threat actors used existing reservation details to craft highly convincing, personalized spear-phishing lures.
- **Lateral Movement:** Between the partner system compromise and the attack execution against customers.
- **Collection:** Gathering information about recent reservations to personalize the attack.
- **Exfiltration:** Data exfiltration was solicited *from the customer* via the phishing link, rather than data being stolen *from* Booking.com or the hotel directly during the initial breach.
- **Impact:** Financial fraud/theft targeting Booking.com customers.
## Impact Assessment
- **Financial:** Potential financial loss for customers who submitted payment information to fraudulent sites.
- **Data Breach:** Customer reservation details were leveraged for customization. Potentially exposed payment information solicited post-phishing.
- **Operational:** Minimal direct operational impact on Booking.com core services, but reputational damage due to third-party failure.
- **Reputational:** Damage to trust in the Booking.com platform and its partner ecosystem.
## Indicators of Compromise
- **Network Indicators (Defanged):** Phishing domain `guestssecureverification[.]com`.
- **File Indicators:** Not explicitly mentioned for this specific instance, but prior related attacks involved Vidar infostealer malware.
- **Behavioral Indicators:** Receiving highly personalized messages via the Booking mobile app shortly after booking, claiming anti-fraud verification is required, and directing users to make payments outside the platform.
## Response Actions
- **Containment:** Booking.com is investigating the compromised partner account.
- **Eradication:** Not detailed for the partner, but Booking.com is enforcing/relying on 2FA policies.
- **Recovery:** The public disclosure serves as a warning to customers and partners.
## Lessons Learned
- The security posture of third-party vendors (accommodation partners) represents a significant risk vector to major platforms like Booking.com.
- Attackers leverage stolen partner credentials to impersonate legitimate entities, even directing communication through seemingly verified channels (like the Booking app, initially).
- A lack of mandatory Multi-Factor Authentication (MFA/2FA) on partner accounts significantly eases credential exploitation, as seen in a comparable SecureWorks case.
- The sophistication of phishing is increasing due to the use of AI tools, making detection by human users harder.
## Recommendations
- **Mandate and Verify MFA/2FA:** Booking.com must ensure 100% system-wide enforcement of mandatory MFA for all partners accessing sensitive data or customer information, not just payment access.
- **Vendor Risk Management (VRM):** Implement stricter security auditing and contractual requirements for high-access partners.
- **Customer Education:** Continuously warn customers about common social engineering tactics, specifically emphasizing that legitimate booking platforms rarely require off-platform payments or extra verification via text/app message links post-booking.
- **Defensive AI/ML:** Increase investment in AI-driven fraud detection to counteract adversary use of AI in phishing lures.