Crumbs! Holiday phish based on genuine hotel booking surfaces
'The email looked incredibly authentic,' warns scam target
Scammers have launched a devious phishing campaign aimed at tricking customers of targeted hotels into transferring funds to a drop account.
Securobods suggested cybercrooks either hacked into a Spanish hotel's system or persuaded someone to hand over customer records on a false pretext before using the purloined details to trick their customers into transferring funds to a bank account in Poland. Prospective marks were also asked to hand over credit card verification codes (CVV numbers) to scammers.
The wife of Reg reader Paul received a scam email after booking a family holiday in Spain via Booking.com.
El Reg notes that security experts have said the following issue was likely not due to any vulnerability in hotel reservations aggregator Booking.com itself.
Phishing emails are, of course, all too common, but this one distinguished itself because it featured the name of a genuinely booked hotel alongside the dates of stay, the reader's home address and the correct invoice amount.
"The email looked incredibly authentic and given the personal details contained, looked very plausible," Paul told El Reg. "All the personal details used in the email are correct."
Paul's wife also received a text message (content below) shortly after the delivery of the dodgy email.
Dear Client, We have sent you an invoice to your e-mail address you have on file with us. Many Thanks, Booking.com
The customer service agent at Booking.com told Paul that it is most likely that they phished the details directly from the hotel, pretending to be Booking.com
El Reg approached both Booking.com and the Mallorca-based hotel named in the scam email for comment on Friday. Neither has responded as yet. We'll update this story as and when we hear more.
Security experts have said a breach of some sort may have occurred at the Spanish hotel involved, but emphasised that this was just a working theory. Alternative explanations would include a banking Trojan harvesting most of the details of a transaction from Paul's machine or a breach at Booking.com.
"I don't think there's been a breach at Booking.com because the net would be ablaze with comments and targeted phishing emails which means it is possible they're phoning up hotels and - perhaps - working their way through guest lists then sending their highly targeted missives to unfortunate individuals", said Chris Boyd, a malware intelligence analyst at anti-virus firm Malwarebytes.
"The victim in this case can probably rest easy - I don't think they were singled out for any other reason than they happened to be on the hotel books the scammers picked on the day. Having said that, they should run some AV scans if they haven't already and keep a close eye on any unusual attempts at outgoing payments just in case there is any malware involvement," he added.
Fraudsters have recently targeted Booking.com customers with a malware-based attack. This may, or may not, be a follow-up campaign, according to Boyd.
"There was a malware campaign last month which targeted Booking.com and Allegro customers - they sent personalised emails to the victims which mentioned outstanding invoices, complete with password stealer attachment," Boyd explained.
"While not quite the same thing that's happening here, it could be relevant in some way - perhaps a spin-off group, or the returns on fake emails with malware weren't good enough so they've moved into full blown social engineering. Unfortunately, all we can do is speculate on that last point - they may be entirely unrelated," he added.
Rik Ferguson, veep of security research at Trend Micro, was also inclined to think that a breach at the Spanish hotel where Paul's family had made their booking was the most likely source of the scam.
"Given the extent of accurate information in the scam email, malware seems unlikely," Ferguson told El Reg adding that three scenarios seemed plausible.
The most likely of the three would be a breach at the hotel itself. "This doesn't need to be voice or phishing, rather a breach of that hotel’s booking system would do nicely," Ferguson explained. A breach at Booking.com is "less likely as they would be under legal obligation to disclose a breach", according to Ferguson, who added that a targeted MITM [man-in-the-middle] malware looking for well-known booking sites is another possibility.
The scam attempted to hoodwink the recipients into wiring money to a Polish bank account. Ferguson said the person running the account is either a knowing or unwitting participant in the con.
"The Polish bank account will certainly be traceable, but that is standard practice, passing money through a mule account or two (unsuspecting or otherwise) allowing the mule to cream off a certain percentage before having the mule convert it into wire transfers or some other untraceable transaction," he concluded.
Malwarebytes' Boyd added: "Without knowing more about the wire procedure being used by the scammers in this case, we can't say for sure what they'd do at the receiving end to pick up the funds or how easy it would be for them to get away with it."
"Asking the victim to provide a scanned receipt is something wire fraud scammers will use along with a fake ID when they pick up the money - often, they'll pretend to be the victim at the bank, or have the victim send money to a relative via wire transfer then pretend to be that relative and claim the cash," he added.
A partially redacted copy of the scam email:
From: "Booking.com" <firstname.lastname@example.org>
Date: 29 July 2014 01:31:50 BST
To: XXXXX Subject: XXXX Please confirm your reservation
Booking.com Dear XXXX ,
First of all thank you for selecting ******* & Spa · #883029917 .
We were informed by ******* Hotel & Spa · #883029917 that the credit card you provided could not be processed to secure your reservation.
The stated reason was:
Code: 0125, The card verification value the user gave for the attempted transaction did not match the card verification value on file for the account (This authorization check normally occurs for cardless accounts and for internet and telephone orders.)
What you can do now:
Please do not try to pay using your credit card again, just go to your bank and send a wire transfer to our account below, also you can do it from home if you have access to internet banking :
Account Name: Anibal Pagaimo
Bank Name: ING IBAN: PL 71 1050 1025 1000 0091 XXXX XXXX
Bank address: ul. Grojecka 186, 02-390 Warszawa
Owner Address: ul. XX XX/XX, XX-XXX Warsawa Country: Poland
Once the payment is completed, please reply to this e-mail with the scanned receipt of the deposit.
Many thanks, Booking.com
Arrival Thursday, August XX, 2014
Departure XXXday, August XX, 2014
Number of nights X
Address: XXXXX,XXX, XXXX, United Kingdom
Sponsored: The Nuts and Bolts of Ransomware in 2016