![\"Example](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/06\/04173008\/attack-on-hotel-business-complaint.jpg\")
<\/a>Example of a complaint regarding a conflict that allegedly occurred in a hotel<\/p><\/div>\n
Early this year, attackers modified their tactics. Instead of direct complaints, they started sending e-mails disguised as notifications from Booking.com \u2014 the popular online accommodation booking platform. The essence remains the same: someone supposedly left a negative review on the platform that hotel staff need to address as a matter of extreme urgency. This may seem like a different scam altogether, but the attack\u2019s goals and the e-mail technical headers (throwing light on the mailing engine) indicate that these e-mails are part of the same campaign.<\/p>\n
<\/a>E-mail mimicking a notification from Booking.com<\/p><\/div>\n
In the inquiry-based e-mails, attackers pose as potential guests and request additional information about hotel services and pricing. The options are endless, with each message\u2019s subject and content almost always unique. Besides routine questions about transfers, meals, and rates, these pseudo-guests may inquire about a playroom for kids, a quiet space for remote work, or the availability of rooms with special historical or cultural significance.<\/p>\n
Here are some more examples of phishing e-mail subjects and content:<\/p>\n
- \n
- \nSubject: <\/strong>Examining Different Payment Gateways for Amusement Park Passes.
\nBody: <\/strong>What are the consequences of canceling a reservation within a few weeks of the check-in date?<\/li>\n- \nSubject: <\/strong>Seeking clarification on making a reservation.
\nBody: <\/strong>Greetings! In case I misplace an item, what\u2019s the process for locating lost possessions during my stay?<\/li>\n- \nSubject: <\/strong>Enquiry about booking.
\nBody: <\/strong>Hi there! Does the room have a mini-bar, and what items are included?<\/li>\n- \nSubject: <\/strong>How to reserve a double room online without any hassle.
\nBody: <\/strong>What happens if guests arrive outside of normal check-in hours at your hotel?<\/li>\n- \nSubject: <\/strong>Securing exclusive hotel rooms: attention to finer details.
\nBody: <\/strong>Good afternoon, I\u2019m interested in staying at your hotel but I have some questions about the payment process. Can you assist me with that?<\/li>\n- \nSubject: <\/strong>Room Fresh Flowers and Plants.
\nBody: <\/strong>Are there options available to request fresh flowers or plants in the guest rooms?<\/li>\n- \nSubject: <\/strong>Laundry Facility Information.
\nBody: <\/strong>What information can you provide about the hotel\u2019s laundry facilities, including services offered and associated charges?<\/li>\n- \nSubject: <\/strong>Booking Request for Pet-Friendly Family Room.
\nBody: <\/strong>Our family and pets are looking forward to our stay. Can you provide a room that\u2019s suitable for pets? Information on pet amenities would be valuable.<\/li>\n- \nSubject: <\/strong>Inquiry for Rooms with Sustainable Energy Sources.
\nBody: <\/strong>Desire a room powered by sustainable energy sources to support eco-friendly living during my stay.<\/li>\n- \nSubject: <\/strong>Request for Assistance with Wine Tasting Tours.
\nBody: <\/strong>Can you arrange wine tasting tours at local vineyards or wineries?<\/li>\n- \nSubject: <\/strong>Dedicated Workspace in Rooms for Business Guests Inquiry.
\nBody: <\/strong>Are dedicated workspaces available in rooms for guests who need to work remotely?<\/li>\n<\/ul>\nNote \u2013 these are actual verbatim examples that were used by attackers.<\/p>\n
As you can see, on the one hand, these are all perfectly plausible questions that real hotel customers ask. On the other, the subject and body of the e-mail are not always logically connected. It\u2019s as if, in some cases, the senders pulled them from some pre-compiled database in random order.\n<\/p>\n
Multi-stage correspondence with fake clients<\/h2>\n
\nIn some cases, attackers adopt methods more common to targeted attacks \u2014 no malicious link is sent in the first or even the second e-mail. To lull the victim\u2019s vigilance, they initiate a conversation with one or more short, seemingly innocuous messages, asking questions about accommodation conditions at the hotel.<\/p>\n
For example, in the first message, an attacker posing as a potential customer claims to be planning a surprise for their wife. In the reply, the hotel employee clarifies the dates of stay and asks how the staff could assist with the surprise. Only then does the attacker send an e-mail with a link to download a malicious file, supposedly containing detailed instructions on creating a special atmosphere in the room \u2014with a promise of generous rewards for the staff\u2019s efforts, of course.<\/p>\n
![\"Example](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/06\/04173038\/attack-on-hotel-business-multistage.png\")
<\/a>Example of an attack involving preliminary exchange<\/p><\/div>\n
End goals<\/h2>\n
\nBy and large, the cybercriminals\u2019 objective in all these cases is to obtain credentials. These can then be used in other scams or simply sold, as databases of such usernames and passwords are in high demand on the dark web. Late last year, we wrote about how compromised hotel accounts on Booking.com<\/a> are being used to scam clients out of payment information. It\u2019s highly probable that the ultimate goal of the attackers in this case is to implement a similar scheme.<\/p>\n
As we wrote above, cybercriminals either lure the victim to a phishing site, or attempt to infect their computer with malware. Here\u2019s how they do it.\n<\/p>\n
Malware infection<\/h3>\n
\nAttackers mostly use links to files with malicious content that are stored on legitimate file-sharing services. Less common are various methods of link masking \u2014 such as shortened URLs. These links can be in the e-mail body or in an attachment, for example a PDF document. In some cases, files with malicious content (such as infected Microsoft Word documents) are sent as attachments directly.<\/p>\n
If the victim follows the link and downloads the file or opens the attachment, a variety of malware may appear on their device, among which there is usually a password stealer. We\u2019ve encountered threats like the XWorm backdoor<\/a> and the RedLine<\/a> stealer.\n<\/p>\n
Phishing e-mails<\/h3>\n
\nIn some instances, phishing links lead to pages that mimic the Booking.com login form. Other times, the phishing page looks like a form for entering corporate credentials. If attackers manage to use these to access corporate e-mail accounts, a lot of doors open to them \u2014 such as hijacking the associated Booking.com account, or contacting customers while impersonating the hotel.<\/p>\n
![\"Phishing](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/06\/04173056\/attack-on-hotel-business-pseudobooking.jpg\")
<\/a>Phishing website mimicking the Booking.com login page<\/p><\/div>\n
How to defend against an attack<\/h2>\n
\nTo safeguard your hotel staff from falling victim to these schemes and protect your business, do the following:\n<\/p>\n
- \n
- Run regular security awareness training for employees<\/a>. This will equip them with the knowledge to resist social engineering techniques and spot cybercriminal tricks early. For example, in the case of the Booking.com e-mail scam, this can be done with the naked eye \u2014 just pay attention to the From<\/em> A large and reputable service like Booking.com would never send notifications from a free e-mail address. Furthermore, a website mimicking the login page may hosted on a third-party domain that\u2019s completely unrelated to the travel platform.<\/li>\n
- Implement protection at the e-mail gateway level<\/a>. While employees might still receive pesky e-mails from scammers, phishing and malicious links along with dangerous attachments won\u2019t ever reach their inboxes.<\/li>\n
- Install robust security solutions<\/a> with anti-phishing technology on all devices used for work.<\/li>\n
- Stay informed by reading our blog<\/a> to be among the first to learn about the latest e-mail threats.<\/strong>\n<\/li>\n<\/ul>\n\n","protected":false},"excerpt":{"rendered":"
Threat actors are targeting hotel staff with malicious and phishing e-mails.<\/p>\n","protected":false},"author":2760,"featured_media":22849,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[1815],"class_list":{"0":"post-22846","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-e-mail"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/attacks-on-hotel-business\/22846\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/attacks-on-hotel-business\/27526\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/attacks-on-hotel-business\/30198\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/attacks-on-hotel-business\/27678\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/attacks-on-hotel-business\/37592\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/attacks-on-hotel-business\/51393\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/attacks-on-hotel-business\/36530\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/attacks-on-hotel-business\/27846\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/attacks-on-hotel-business\/33671\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/attacks-on-hotel-business\/33336\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/e-mail\/","name":"e-mail"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2760"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=22846"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22846\/revisions"}],"predecessor-version":[{"id":22848,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22846\/revisions\/22848"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/22849"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=22846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=22846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=22846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Implement protection at the e-mail gateway level<\/a>. While employees might still receive pesky e-mails from scammers, phishing and malicious links along with dangerous attachments won\u2019t ever reach their inboxes.<\/li>\n
- \nSubject: <\/strong>Seeking clarification on making a reservation.