Access to the Booking.com management portal allows the threat actor to see upcoming bookings and directly message guests, according to cybersecurity firm Secureworks.

Hotel Stays Put Booking.com Customers at Risk of Phishing Attacks!

Cybersecurity researchers have warned people about a new scam targeting Booking.com customers by posting ads on the Dark Web asking for help finding victims. Hackers target accommodations listed on the forum to pose as staff members.

The scam, which was investigated by cybersecurity firm Secureworks, involved deploying the Vidar info stealer to steal a hotel’s Booking.com login information.

According to cybersecurity company Secureworks, accessing the Booking.com management portal allows a threat actor to see future bookings and send direct messages to guests.

Booking.com has not been hacked, but hackers have found ways to access the administrative portals of individual hotels that use the service.

Hackers offer $30 to $2,000 per valid log with additional incentives for regular reporters.

According to reports, hackers appear to be making so much money from the attacks that they are now offering thousands in payments to criminals who share access to hotel portals.

A Booking.com spokesperson said the company is aware that hackers are targeting some of its accommodation partners “using a range of known cyber fraud tactics”, reports the BBC.

Secureworks incident responders determined that the threat actor made contact by sending an email to a member of the hotel’s operational staff.

“The sender claimed to be a former guest who had lost their identification (ID) and they asked for the recipient’s help in finding it. The email contained no attachment or malicious links and was likely intended to gain the recipient’s trust,” the security team noted.

Without any reason to suspect, the employee responded to the email and asked for more information to help the sender.

Later, the threat actor sent another email about the missing ID. The sender identified the document as a passport and stated that he strongly believed he had left it at the hotel.

When the recipient clicked on the link in the email, the ZIP archive file was downloaded to the computer’s desktop.

“Microsoft Defender identified the file in this archive as Vidar infostealer. Microsoft Defender detected several failed execution attempts before the malware finally executed,” the researchers said.

Secureworks researchers analyzed the contents of this file and confirmed that it is the Vidar info stealer. This Vidar sample is configured to steal passwords only.

“This activity initially appeared to indicate that Booking.com’s systems were compromised. However, findings by Secureworks incident responders indicate that threat actors likely stole credentials from the admin.booking.com property management portal directly from the properties and used the access to target the properties’ customers,” the team said.