Sophisticated Phishing Attacks Target Hotel Guests

By Robert McGarvey

Hotel cybersecurity stinks.  There’s nothing new in that pronouncement.  I’ve written about that for years.  

But now there is more – and worse – news.  Tech company Akamai has reported that a new and super slick phishing scheme is now targeting hotel guests and successfully collecting credit card info for exploitation by cyber crooks.

The theft gets its start with an infiltration and hacking of the hotel’s computers.  It begins when the cyber criminal makes what seems to be a legit hotel reservation.  That is followed up with what appears to be a benign email about more info that is needed, nothing unusual.  Perception Point cyber researchers document what happens next: “Once the targeted hotel’s employee replies, the attacker ups the ante. Their follow-up email is carefully crafted to elicit both empathy and a sense of urgency. For example, they might claim that their son is prone to anaphylactic shock due to specific allergies. In other cases, the attacker could appeal to the hotel’s sense of responsibility towards elderly guests, stating they have parents over 70 and wish to print photos for them during their stay.”

Then the attacker sends an email with a URL – purportedly perhaps to their parents’ medical records –  but when that is clicked on malware downloads to the hotel computer and InfoStealer tools busily siphon off sensitive information from the system.  

Sounds bad? It is, very bad. But what Akamai has now reported is an update to the InfoStealer that directly puts you in the crosshairs of this cyber attack.

Picture this: you have a reservation for a hotel room in Manhattan during a busy week when you know rooms will be in demand.  You get an email that says: Due to an update of our reservations system we need you to confirm your credit card details.  We apologize for this but it is essential for us to hold your reservation. Please use this link: MyBooking.MyHotel@hotel.com

Understand: the crook knows you have a reservation. Probably the email even specifies the correct dates, maybe even your room rate. They have scraped that data off the hotel computers.

This email is not one of those idiot messages – I get them weekly – telling me a package cannot be delivered because of an inaccurate address, please update your delivery information here.  Aside from the misspellings, the message just screams: cretin amateur.

Not the message from your hotel. It has the facts that will probably persuade you this is legit.

But click that link and you just stepped into a world of misery because you have downloaded slick malware. Akamai tells what has happened: “This downloaded script is designed to detect the victim’s information and ensure that it would be difficult to analyze or understand by security analysts. This obfuscation technique speaks to the sophistication of the attacker(s) who are behind this.”

You did not even notice malware has been downloaded. It happened in the blink of an eye.

In this process you will be asked to re-enter your credit card info – number, expiration date, security code.

Why wouldn’t you enter that? You already gave the hotel this info and so in your mind you are just reconfirming what you already told them which you do because you really want to hold that room.

But when you do that, you are screwed.

So what should you do if you get that email asking for a reconfirmation of your credit card data?  Call the hotel.  Don’t email. Use the phone.  Call and ask to reconfirm a reservation.

Alternatively, go directly to the hotel’s website and find your reservation info.  All looks fine? You are ok.

Should you mention the email you got? Up to you. The hotel probably already knows this is happening because it is happening to many guests but if you want to be an Eagle Scout and blow this whistle, do it.

The bigger issue is: this attack dramatically ups the sophistication of the scam.  It is easy to see many of us falling for this.  You’re checking email early in the a.m., you see that hotel email, you’re leaving tomorrow for New York so, sure, you click the link.

If you had had that second cup of coffee maybe you wouldn’t have. But you didn’t and you did.

Before you click on any links in emails about your upcoming hotel stay, remember what you read here. And just don’t.

Leave a Reply

Your email address will not be published. Required fields are marked *