Booking.com customers hit as hospitality becomes hot target for hackers

Following a wave of attacks on the hospitality industry, a new phishing campaign is reportedly targeting Booking.com users.

According to Perception Point — the cyber security company responsible for detecting the attack — hackers are leveraging InfoStealer malware to access guests’ booking information including sensitive data such as names, booking dates, hotel details and payment methods.

Attackers then devise personalised messages to Booking.com customers using social engineering techniques to create a sense of urgency.

Users are told they need to provide their credit card details again as a verification test, or face losing their booking within 24 hours if they fail to comply.

The message is sent via both the Booking.com platform and its email containing a link that directs users to a phishing page, mirroring Booking.com’s interface.

If clicked, customers can see their personal details including full name, stay duration and hotel info.

Since the threat actors have partial information on the original payment method used by the targets to book the reservation, the message specifically asks for it in full. If users re-enter their credit card or bank information this data is directly harvested by the hackers.

According to Perception Point, the most worrying aspect of this phishing campaign is that the links are sent directly through Booking.com’s platform, unlike more typical phishing tactics such as a rogue email or a suspicious SMS, making it appear more authentic.

The cyber sec firm said this is “far from an isolated incident or a small-scale scam”. It is estimated that hundreds of hotels and resorts worldwide have fallen prey to these breaches.

The scope of the attacks remains undisclosed, but Perception Point believes that a single user has lost up to thousands of dollars.

The hospitality sector, with its wealth of personal and financial data, has become an increasingly lucrative target for cybercriminals, according to Peleg Cabra, senior product marketing manager, Perception Point.

“The recent phishing campaign against Booking.com users is a harsh reminder of this reality. This multi-layered attack underscores the lengths to which threat actors will go to abuse popular and trusted platforms.

“By deploying InfoStealer malware, they’re not just accessing guests’ booking details but also capitalising on the inherent trust we users have in these platforms.”

Cabra added that with high-profile cyber breaches like those at MGM and Caesars, it’s evident that the hospitality industry is in the crosshairs in 2023.

“Now, more than ever, there’s a pressing need to bolster defenses, adapt to new threats, and ensure that both businesses and consumers are educated about the escalating threat landscape.”

To read more stories on cyber security click here