Hackers are abusing hotel booking notifications to steal credentials in a new phishing campaign

News
By published

Newly discovered campaign targets hotels and other hospitality businesses

Suitcase next to a bed in a hotel
(Image credit: Getty Images)
  • Phishing campaign targets hotel staff using fake Expedia and Cloudbeds login pages
  • Attackers show deep knowledge of hospitality workflows to boost credibility
  • Hospitality businesses are prime targets due to constant handling of sensitive guest data

Hotels, and other similar businesses in the hospitality industry, are being targeted by an advanced, highly convincing, phishing campaign.

The goal of the attacks is to harvest usernames, passwords, and potentially multi-factor authentication tokens (MFA) from two hospitality-centric platforms: Expedia Partner Central, and Cloudbeds.

This is according to Mimecast’s Threat Research Team, and researchers Samantha Clarke and Ankit Gupta. The team discovered an ongoing campaign distributing “urgent, business-critical subject lines designed to prompt immediate action from hotel managers and staff.”

Sophisticated understanding of hospitality workflows

Usually, the email messages discuss common tracking alerts, system updates, guest booking confirmations, and partner central notifications. These are regular topics in the hospitality industry, and are generally time-sensitive. Hotels that fail to address these messages on time usually end up losing revenue.

This means that, whoever is behind this campaign, has “sophisticated understanding of hospitality workflows,” the researchers further explained. The links in the emails then redirect the victims towards malicious landing pages, designed to look identical to login pages of Expedia and Cloudbeds.

This is where the attackers capture login credentials and, potentially, 2FA codes. All of the landing pages were hosted on Vercel, they added.

Sensitive data, such as email addresses, Social Security Numbers, passport and government ID numbers, dates of birth, postal addresses, and similar, are quite valuable to cybercriminals.

They allow them to launch phishing attacks that can give them access to important services, bank accounts, and more. Businesses in the hospitality industry, on the other hand, generate this type of data constantly, making them a prime target for campaigns such as this one.

Less than a month ago, a cybercriminal managed to break into the booking system used by numerous hotels in Italy and steal highly sensitive information on thousands of guests. Before that, high-profile hotel chains, including Marriott and Hilton, all had sensitive customer data leak as part of a supply-chain attack against a partner.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.