Each news-making data breach gives business leaders another reason to not underestimate hackers’ resourcefulness.
Elad Damari
Considering there’s far more to steal from hotels than just pillows and towels, the hospitality sector is no exception. As of late, threat actors have been increasingly targeting Booking.com-affiliated hotels by way of phishing, with an eye on their vast repositories of guest data.
The recent attacks are a stark reminder of the vulnerabilities within the hospitality sector’s digital infrastructure, building off a string of attacks on Booking.com customers. This underscores the critical need for robust and well-prepared MSPs that are managing the security infrastructure for hospitality customers to help preserve the trust and confidence hotels work so hard to foster with their guests.
Attack Breakdown
Hackers in this latest string of attacks used techniques that go beyond typical phishing campaigns that dupe victims into divulging sensitive information. They pulled off a multifaceted social engineering scheme, one that employed several clever tactics to access hotels’ Booking.com accounts.
For one, malicious actors sent socially engineered messages to hotels from a seemingly legitimate Booking.com email address, urging staff to respond to a “negative review” left by a former guest by clicking a “Reply to Complaint” link.
A socially engineered message on the Booking.com platform.
Feeling compelled to quickly resolve the issue, employees clicked the link and were redirected to a fake Booking.com login webpage that looked authentic – even the URL was close to the real one. When hotel staff members entered the hotel’s login ID and password, hackers obtained access to the hotel’s Booking.com credentials.
A Booking.com fake login page that tricked hotel staffers.
Similarly, attackers convinced staff to log into the hotel’s extranet account – Booking.com’s property management portal – claiming that failure to do so would result in account deactivation. This was just another ruse to engineer a “time-sensitive” scenario that allowed bad actors to gain access to confidential credentials.
Attackers posing as prospective guests also sent emails to hotels asking for clarification on their upcoming reservations, providing a Booking.com confirmation link. Once again, the link directed users to a spoofed login page where hotel credentials were one login ID and password away from being stolen.
Although this phishing campaign preyed on hotel workers, the attackers’ true targets were the guests. If guest email addresses, phone numbers, and credit card details are locked away behind encryption systems, a hotel’s Booking.com credentials are the master key. Thus, with financial data in the wrong hands, some victims were robbed of hundreds to thousands of dollars.
Attackers were able to target hotel guests by preying on hotel staff.
Key Takeaways for MSPs and Cybersecurity Vendors
Fortunately, hotels don’t have to face the threat landscape alone. MSPs can be a crucial ally in safeguarding hotels’ sensitive data by facilitating access to the advanced threat prevention tools cybersecurity vendors offer.
However, MSPs need to stay sharp. MSPs should provide hotels with modern email security solutions that leverage AI, ML and other advanced detection engines such as anti-evasion and next-gen dynamic scanning. Methods such as these can accurately analyze the authenticity of email contents and block sophisticated phishing attempts if malicious links or spoofed addresses are detected.
In addition, MSPs should embrace a multilayered approach to protect their customers. This is critical with the evolution of the user’s workspace to the cloud; Email, collaboration, and productivity tools can be accessed by any browser anywhere. Deploying a consolidated solution that unifies email, browser, and SaaS app security provides centralized control and simple management for the MSP.
Backing up these efforts with regular holistic security assessments also will help MSPs identify new vulnerabilities within a hotel’s digital infrastructure.
MSPs should provide security awareness tools to help train hotel employees to recognize social engineering attempts and use safe online practices. Human error and lapses in judgment remain an Achilles’ heel in cybersecurity.
Meanwhile, it’s critical for cybersecurity vendors’ services to act as force multipliers for MSPs. They should ease deployment, provide ongoing incident management support, and allow MSPs to offload security tasks as needed.
Enjoy Your Stay
The Booking.com breach is just one sophisticated attack campaign in a series of increasingly prevalent cyber threats aimed at pilfering the hospitality sector’s wealth of sensitive guest data. For MSPs serving hotels, the attacks highlight the importance of robust, multilayered cybersecurity strategies defending organizations against social engineering ploys and phishing tactics.
By learning from such incidents and adapting accordingly, MSPs can help ensure hotel guests truly enjoy their stay in safety and security.
Elad Damari is the incident response team leader at Perception Point.
Images: iStock, Perception Point
