Phishing campaign targets hotel guests
We've all been through trainings at work where they tell us to pay attention to URLs and validate their authenticity, examine emails for red flags, not trust calls and messages asking for urgent action - and so on. A false sense of security can creep in: I should be able to recognize a scam. The last week's episode of Smashing Security, however, brought up an attack that is scarily easy to fall for.
Here's my brief summary:
- The attackers sent emails to hotels with a link to an infostealer.
- Once it was executed, they could access booking platforms on behalf of the hotels.
- The attackers contacted customers with urgent requests to update their credit card details - otherwise they'd lose their reservation.
- The link to update credit card details was illegitimate.
Unlike a regular phishing attack that we're all used to, this was performed through legitimate and - you'd think - safe channels. As the report says:
It is often recommended that customers use only official and known methods of communication, such as various messaging platforms within the site, to prevent illegitimate or scam interactions. Unfortunately, this great advice becomes moot now that the attacker can access those methods. <...> It is important to remember that this message comes from within the booking site’s message platform itself.
Honestly, I'm impressed - that's a rather sophisticated attack. Here you can read about it in detail, along with suggestions on how to protect yourself.
Stay safe and inform people around you!