Cybercriminals are preying on the inherent helpfulness of hotel staff during the sector's busy holiday season.
Researchers at Sophos said the latest malware campaign targeting hotels involves sending emails that play on the emotions of staff, while at the same time applying time pressure, to trick them into downloading password-stealing malware.
Both typically necessitate a fast response from hotel management.
Complaint emails can range from allegations of violent or prejudicial behavior from staff or having possessions stolen, for example.
In these cases, attackers will often compose a strongly worded email, only including text, outlining their initial complaint.
When the staff then responds by requesting more information, the attacker sends a message directing the staff to open a link that supposedly contains evidence supporting their claim.
Similar to the previous examples, the attacker will instruct the staff to visit the link, which supposedly contains the information necessary for the hotel staff to familiarize themselves with the medical needs of their fake children.
Some emails are composed in what reads like native English, reducing the likelihood of staff members working fast-paced jobs being alerted to the malicious nature of the message.
Hotel staff have been advised to make themselves aware of the types of scams going around and be vigilant to any signs that the email might be an attempt at an attack.
Other methods involve creating an emotional scenario claiming the need for the hotel's help to retrieve a lost item left behind in a hotel room, for example - sometimes with sentimental value.
Email sent to hotels including a link to a malicious archive instead of images of a lost item.
In these cases, attackers may try to disarm the staff with grief, playing on their willingness to offer help, which Sophos says is a self-selecting trait of successful hospitality workers.
All of the methods described in the research serve to steal hotel management credentials, which have recently been used in a spate of attacks against Booking.com customers, and have been ongoing since at least March 2023.
The goal is to steal credentials to admin management portals, which are in turn logged into the Booking.com partner portal.
From there, attackers have been sending messages directly to customers from within Booking.com, lending an air of legitimacy to the communication.
Credit card details are requested to secure a customer's booking, while also being told it will be cancelled within 24 hours if details aren't provided - creating a sense of urgency.
Investigating the incident, Secureworks also spotted a high demand for Booking.com credentials on underground forums, with some users offering up to $5,000 for a valid infostealer log, along with incentives to regular suppliers.
One crook - who offers a service that checks infostealer logs for valid credentials to various platforms, including Facebook Ads Manager, Gpay, Discord, and more - added a new Booking.com admin portal service to the offering, again suggesting demand has risen.
Due to the rigorous controls and the machine learning capabilities we employ, we are able to detect and block the overwhelming majority of suspicious activity before it impacts our partners or customers.
It's good to remember that no legitimate transaction will ever require a customer to provide their credit card details by phone, email, or text message.
This Cyber News was published on go.theregister.com. Publication date: Wed, 20 Dec 2023 22:13:06 +0000