Scammers are using legitimate hotel booking details to craft targeted phishing attacks and have targeted customers of at least 350 hotels and vacation rentals in 50 countries, WIRED magazine reports.
Victims are far more likely to fall for a phishing attack if a message contains real information that they wouldn’t expect a scammer to know, according to researchers at Norton.
The phishing messages impersonate hotel staff and relate to recent bookings a user has made, informing the user that they need to verify their information. If a user clicks the link, they’ll be taken to a spoofed website designed to steal their credit card details.
It’s unclear how exactly the attackers obtained information about recent hotel reservations, but it likely stems from data breaches or compromises of individual hotels’ booking systems.
“Hackers could obtain people’s specific vacation booking details from a variety of places, including accessing hotel systems after sending them phishing messages or through third-party booking services,” WIRED says. “For example, hackers could send malware-laced emails or files to hotels to try to get their login details, rather than systems containing vulnerabilities that are exploited by cybercriminals.”
Aaron Ownbey, vice president of engineering at Cloudbeds, told WIRED, “The reason these scams are so effective is that the attacker isn't guessing: They know exactly who the guest is, when they’re arriving, and what they paid....The hospitality industry needs to collectively raise the security baseline—better training for front desk staff, wider adoption of phishing-resistant authentication, and tighter controls on how guest data can be accessed and exported from any platform.”
Users should be aware that threat actors sometimes have access to non-public information, and they can use this data to establish a sense of trust during a social engineering attack.
This article was reprinted with permission from KnowBe4. Get the original article from WIRED.