“We would not say that every single phishing message we observed was definitively caused by a direct compromise of the hotel’s own internal systems,” the researcher says. Phishing messages could have been sent using information from other data breaches or systems not linked to the travel industry. “The common factor is that criminals are weaponizing real reservation context and pushing travelers into a fake verification or payment flow,” Corrons says.
Corrons says Norton has been unable to fully unpick who may be behind the attacks but says investigations are ongoing. Those sending some of the phishing messages appear to be using phishing kits designed to speed up and automate the process of sending and collecting information, he says, and in several cases the same phishing kit or technical infrastructure has been used. The company is not publishing the full list of potentially compromised hotels and holiday accommodations, Corrons says; however, he says the company has been in touch with Europol about its findings.
A Europol spokesperson declined to comment, saying it does not discuss its operational activity.
“We continue to strengthen our defences to reduce risk and limit opportunities for bad actors to target our accommodation partners and our customers, and we are seeing results,” a Booking.com spokesperson says.
Cloudbeds says the company has not been breached and the attacks described by the Norton researchers are credential-phishing campaigns targeting hotel staff and then customers. “The reason these scams are so effective is that the attacker isn’t guessing: They know exactly who the guest is, when they’re arriving, and what they paid,” Aaron Ownbey, vice president of engineering at Cloudbeds, says.
Attempts to hack hotels and use customer data to launch phishing attacks have been around for years. Across the travel industry, hotels will often use a range of property-management software or different systems that allow people to make bookings through third-party companies. At the same time, staff can easily manage key customer details and reservations. “The hospitality industry needs to collectively raise the security baseline—better training for front desk staff, wider adoption of phishing-resistant authentication, and tighter controls on how guest data can be accessed and exported from any platform,” Ownbey says.
Smaller hotels are less likely to have in place security best practices, such as multifactor authentication for staff members, says Don Smith, the vice president of threat research at security company Sophos, which has worked with companies in the travel industry.
For instance, in one incident handled by Sophos, a cybercriminal emailed a hotel saying they had lost their passport during a recent stay. In a followup message, the attacker included a link to a photo of the passport; however, when clicked it downloaded a file including the Vidar info stealer, which can collect login details from an infected computer. Days after the malware was deployed, fraudulent messages had been sent to customers from the hotel’s Booking.com account and people were complaining they had lost money.
“Threat actors love context because context makes a phishing lure much more compelling,” Smith says. “It’s very hard to not simply react and click on something to remove one element of stress from what may be a stressful travel experience.”
Corrons, from Norton, says the inclusion of real information in phishing messages can make it harder to determine what is legitimate and what’s a scam. If in doubt, he says, get directly in touch with the hotel or vacation rental through another means of contact. “Even if the data in the message is real,” he says, “that doesn’t mean that you can trust the message.”
