Since last summer, both hotel owners and employees have been receiving malicious e-mails disguised as ordinary correspondence from previous or potential guests. In some cases, they appear as typical messages sent to the target hotel’s public e-mail address. In others, they resemble urgent requests from Booking.com to respond to user comments the platform supposedly received. In reality, it’s attackers trying to either get hold of employees’ login credentials or infect hotel systems with malware.
Tricks of the trade
When targeting organizations, threat actors usually need a plausible pretext for their e-mails. In the case of hotels, devising such a pretext is relatively easy: responding to sudden customer inquiries is part and parcel of the job for hotel workers with publicly available e-mail addresses. The be-all-and-end-all for a hotel is reputation, so employees strive to resolve conflicts or fulfill requests as quickly as possible. This eagerness leads them to follow links or open attached files within these e-mails, falling prey to cybercriminals. In essence, this threat could be described as a “customer focus attack”.
Adding to the challenge of identifying the threat is the fact that attackers don’t need to create a specific, business-appropriate e-mail address. Hotel staff routinely receive inquiries and complaints from guests using free e-mail services. So attackers use them too — with Gmail being the most common.
E-mail content
Generally, the correspondence follows one of two topics: complaints, or inquiries to clarify some details. In the first case, hotel employees receive a message from a “dissatisfied guest”. The complaint could be about unethical staff, double-charged bank cards, poor accommodation conditions, and so on. To back up their words, attackers may offer supporting evidence such as videos, photos, bank statements and the like.
Early this year, attackers modified their tactics. Instead of direct complaints, they started sending e-mails disguised as notifications from Booking.com — the popular online accommodation booking platform. The essence remains the same: someone supposedly left a negative review on the platform that hotel staff need to address as a matter of extreme urgency. This may seem like a different scam altogether, but the attack’s goals and the e-mail technical headers (throwing light on the mailing engine) indicate that these e-mails are part of the same campaign.
In the inquiry-based e-mails, attackers pose as potential guests and request additional information about hotel services and pricing. The options are endless, with each message’s subject and content almost always unique. Besides routine questions about transfers, meals, and rates, these pseudo-guests may inquire about a playroom for kids, a quiet space for remote work, or the availability of rooms with special historical or cultural significance.
Here are some more examples of phishing e-mail subjects and content:
- Subject: Examining Different Payment Gateways for Amusement Park Passes.
Body: What are the consequences of canceling a reservation within a few weeks of the check-in date? - Subject: Seeking clarification on making a reservation.
Body: Greetings! In case I misplace an item, what’s the process for locating lost possessions during my stay? - Subject: Enquiry about booking.
Body: Hi there! Does the room have a mini-bar, and what items are included? - Subject: How to reserve a double room online without any hassle.
Body: What happens if guests arrive outside of normal check-in hours at your hotel? - Subject: Securing exclusive hotel rooms: attention to finer details.
Body: Good afternoon, I’m interested in staying at your hotel but I have some questions about the payment process. Can you assist me with that? - Subject: Room Fresh Flowers and Plants.
Body: Are there options available to request fresh flowers or plants in the guest rooms? - Subject: Laundry Facility Information.
Body: What information can you provide about the hotel’s laundry facilities, including services offered and associated charges? - Subject: Booking Request for Pet-Friendly Family Room.
Body: Our family and pets are looking forward to our stay. Can you provide a room that’s suitable for pets? Information on pet amenities would be valuable. - Subject: Inquiry for Rooms with Sustainable Energy Sources.
Body: Desire a room powered by sustainable energy sources to support eco-friendly living during my stay. - Subject: Request for Assistance with Wine Tasting Tours.
Body: Can you arrange wine tasting tours at local vineyards or wineries? - Subject: Dedicated Workspace in Rooms for Business Guests Inquiry.
Body: Are dedicated workspaces available in rooms for guests who need to work remotely?
Note – these are actual verbatim examples that were used by attackers.
As you can see, on the one hand, these are all perfectly plausible questions that real hotel customers ask. On the other, the subject and body of the e-mail are not always logically connected. It’s as if, in some cases, the senders pulled them from some pre-compiled database in random order.
Multi-stage correspondence with fake clients
In some cases, attackers adopt methods more common to targeted attacks — no malicious link is sent in the first or even the second e-mail. To lull the victim’s vigilance, they initiate a conversation with one or more short, seemingly innocuous messages, asking questions about accommodation conditions at the hotel.
For example, in the first message, an attacker posing as a potential customer claims to be planning a surprise for their wife. In the reply, the hotel employee clarifies the dates of stay and asks how the staff could assist with the surprise. Only then does the attacker send an e-mail with a link to download a malicious file, supposedly containing detailed instructions on creating a special atmosphere in the room —with a promise of generous rewards for the staff’s efforts, of course.
End goals
By and large, the cybercriminals’ objective in all these cases is to obtain credentials. These can then be used in other scams or simply sold, as databases of such usernames and passwords are in high demand on the dark web. Late last year, we wrote about how compromised hotel accounts on Booking.com are being used to scam clients out of payment information. It’s highly probable that the ultimate goal of the attackers in this case is to implement a similar scheme.
As we wrote above, cybercriminals either lure the victim to a phishing site, or attempt to infect their computer with malware. Here’s how they do it.
Malware infection
Attackers mostly use links to files with malicious content that are stored on legitimate file-sharing services. Less common are various methods of link masking — such as shortened URLs. These links can be in the e-mail body or in an attachment, for example a PDF document. In some cases, files with malicious content (such as infected Microsoft Word documents) are sent as attachments directly.
If the victim follows the link and downloads the file or opens the attachment, a variety of malware may appear on their device, among which there is usually a password stealer. We’ve encountered threats like the XWorm backdoor and the RedLine stealer.
Phishing e-mails
In some instances, phishing links lead to pages that mimic the Booking.com login form. Other times, the phishing page looks like a form for entering corporate credentials. If attackers manage to use these to access corporate e-mail accounts, a lot of doors open to them — such as hijacking the associated Booking.com account, or contacting customers while impersonating the hotel.
How to defend against an attack
To safeguard your hotel staff from falling victim to these schemes and protect your business, do the following:
- Run regular security awareness training for employees. This will equip them with the knowledge to resist social engineering techniques and spot cybercriminal tricks early. For example, in the case of the Booking.com e-mail scam, this can be done with the naked eye — just pay attention to the From A large and reputable service like Booking.com would never send notifications from a free e-mail address. Furthermore, a website mimicking the login page may hosted on a third-party domain that’s completely unrelated to the travel platform.
- Implement protection at the e-mail gateway level. While employees might still receive pesky e-mails from scammers, phishing and malicious links along with dangerous attachments won’t ever reach their inboxes.
- Install robust security solutions with anti-phishing technology on all devices used for work.
- Stay informed by reading our blog to be among the first to learn about the latest e-mail threats.