Read about the latest malware campaigns involving hotels at Booking.com and how this can be linked to scams all around the world.
Booking.com is an online travel agency used by millions of users all around the world (including threat actors!).
A. Distribution of malware to hotels
In the past few weeks we have seen a rise in phishing emails targeting Booking owners and delivering malware (infostealers) to them via fake inquiries.
Security researcher @JAMESWT_MHT has shared some of these examples, with Italian hotels as the target victims:
You may see all the shared examples for further reference
https://twitter.com/search?q=from%3A%40JAMESWT_MHT%20booking
Related:
www.difesaesicurezza.com/en/cyber-en/cybercrime-lumma-stealer-campaign-via-fake-hotel-reservation/
Not only Italian, also Andorran hotels suffered from a similar Booking campaign: via alpine-security
www.anc.ad/hijackloader-els-hotels-dandorra-esdevenen-els-objectius-datac-una-analisi-tecnica/
As seen, the main objective of these campaigns would be to steal credentials from hotel owners. There is an unexpected demand for admin.booking.com valid credentials, and the only way to get these from someone would be steal them from the hotel owners.
I can’t assure when this guy started working on this request for malware logs, first reference to his work is September 2nd, 2023. Since this date, screenshoots up to a total of $7124.42 have been shared as proof of payment in the thread, with the last post made as October 7th.
More forum threads appeared recently requesting booking logs:
Also spammed at Telegram groups,
Due to the large nature of the Booking website, its name has been used in previous malware campaigns via fake invoices on email, as seen last year. I strongly believe the past campaigns have any relation with the actual ones. Reference:
So let’s start asking questions. How to approximate an hotel administrator to deliver malware? Let’s just see their methods!! Somehow in Russian.
(I will not disclose the entire document)
Translation to English (March 2023)
In the example, the information of a Colombian individual is used to register the account, they also share payment information from a Dutch woman. This is mandatory information in order to create an account that can book hotels all around the world.
The next step would be to find a hotel that you can book with free cancellation a few days before the booking day and those that doesn’t require you to make a payment until arrival day. It may seem odd, but is something quite common at the Booking website.
Then, threat actors just need to contact the hotel after a fraudulent booking has been made. The booking has been done, but no payment has been received by the hotel owner. At this point, guests with a reservation can contact hotel owners via email.
Detonation: Analysis https://bit.ly/Google-Maps_Jacob-Martin-Photo Malicious activity — Interactive analysis ANY.RUN
C2 >>> 185.106.92.140:44756 (Now Dead)
I believe this exact message has been used in any real campaign, anyway can’t be confirmed. You see the similarities with the previously exposed real campaigns on Booking?
They say the work ratio is 10 successful phished owners every 100 tries. Let’s consider this a true statement.
B. Using stolen accounts
Let’s move on. What do they do with the booking administrator’s stolen credentials?
When a threat actor breaches an hotel account on Booking, can he withdraw the remaining credit balance on the account? If so, this would be the first move, and from where account vendors are getting their fee profits. Also new payments received since the infection date will be redirected to threat actor wallets.
Of course, a real hotel administrator would have other interesting credentials to threat actors, but I focus on Booking
Then, what to do with an empty account, but still verified?
Introducing “Scam 1.0" (That’s how they named it)
“Bypass anti-fraud on Booking” method
To summarize (Translation from Russian) :
That’s it, setting up fake booking properties and redirecting clients to fake payment walls. This is where the carding appears, stealing customer payment information via phishing sites.
This behavior has been reported recently on Singapore citizens:
Related:
Blog elhacker.NET: Oleada de estafas de hoteles a través de Booking
There’s a recommendation on working with Italian and French hotels.
With these statements, that would mean there are fraudulent hotels operating on Booking.
As said before, we totally moved out of the malware ecosystem, at this point, carding groups are responsible for everything done, and the main objective is to commit financial fraud.
C. Individuals behind scams — workers
Somehow people who are committing crimes always like to post publicly about their activities. If they can search for it, why shouldn’t I??
1. Malware threat actors
Let’s start talking about the people delivering malware to hotels.
A bunch of individuals behind the moniker “rachid” have kindly shared a list of his malware logs between July 26, 2023 to October 2, 2023.
(if you are enough involved at infosec you must know what’s this, nothing is going to be explicitly disclosed as it can be considered sensitive)
Allergies? We’ve seen that!
Rachid is using META stealer (NOT REDLINE), he shared the first test check, on his machine.
VPS 116.203.68.128 — AS24940 hetzner online gmbh
RDP open: DESKTOP-TJJ4KTA
From a total of 2953 host list, 553 were unique IPs.
Please note that several hosts were infected repeatedly, either by executing the stealer more than once in a short period of time or via task scheduler every 24 hours until infection is detected. As example, this happened to a Balearic Islands (Spain) host, infected at 15.09.2023 19:00:28 and sharing a daily log until 25.09.2023 09:41:43 (last infection).
Rachid started sharing his admin.booking.com checks between July 26, 2023, and October 2, 2023. 86 days when major activity happened since September 12, 2023.
From these 553 hosts, a total of 266 alledgelly contain admin.booking.com cookies or passwords. Only 133 of them are unique, from different IP ranges. That means different computers from the same hotel have been infected by the same stealer.
Others had only booking.com information or any of both.
So let’s make statistics. 2953 total logs, of which 18.73% are unique, and only 4.50% are from unique hotel owners. If we pay attention to the “100 emails sent to 10 logs received” rule exposed before, that would mean up to 1–2 thousand emails were sent in a period of 68 days (15–30 emails per day).
This effort would mean someone is getting paid very well.
The only disclosed hotel name that has been shared under rachid activities is French Hôtel Observatoire Luxembourg | Paris Quartier Latin | Site officiel (observatoirehotel.com). Infected 18.07.2023 10:15:07
Not from this source, I was able to find the report of 3 hotels back in May:
At this point Ihave serious doubts about these messages, either are logs submitted about these hotels, or someone that has used this hotels to phish people into a fraudulent site. Both options mean a compromised hotel.
2. Scam threat actors
Please note that malware operators and scammers are related. The same users behind rachid are behind other monikers incarding & scamming groups.
Understanding the whole carding/scammers environment will be a vast job to do that will never be completed. Also, financial fraud is an activity that I strongly condemn and makes me sick, so going through every group/sites will be just impossible. I will focus on the first ones who appeared in my searches.
There are specialized scamming communities that have been very active since a lot of months ago, and it is very exhausting to go through every movement that is disclosed by these groups. Like malware operators, they like to share things, in this case, payments received by every of its workers.
Let’s expose some of these groups activities.
Under the moniker “Butterfly”, a scam community has been set up. Specialized on “Booking 1.0” scams, a total of 14,319.64€ has alledgelly been collected in 49 fraudulent scams (~$310 per scam). Examples:
More big scamming groups (no name is going to be disclosed) rely on Booking scams as a financial method.
From this one, a total of 99,312€ has been allegedly earned ONLY in the month of September (09.01 – 09.30). Examples:
A total of 1,657 scam operations has been done by this group involving Booking since 11/11/2022, the most recent at the time of writing this, October 11th 2023.
Some others directly posting fraudulent wire transfer screenshots:
There are several individuals working in groups like the ones previously exposed making several thousands of cash on scams.
C. Other ways of scamming
While doing this research, I noticed these scamming groups have other ways to make profits. Booking is just one of them, nowadays, the most profitable.
Introducing (very briefly) the Scam 2.0
Some user asking for phone numbers in order to start scam on Vinted:
Sites that are actively being exploited by scammers are:
Vinted, Wallapop, Milanuncios, Subito, Olx, Ebay, Leboncoin, Dpd, Carousell, Quoka, Kuldnebors, Etsy, Depop, Willhaben among others.
Threat actors just likes to show off, like usual.
C. Prevention
As a guest, please never trust deals off the platform and double check payments ways offered to you. When in doubt, do not proceed to send any information about yourself. Report suspecting behaviors.
As a Booking partner, please follow Booking guidelines, your account is a very sensitive point and can be used to both harm yourself and other people:
Online security awareness: phishing | Booking.com for Partners
Online security awareness (malware) for accommodation partners | Booking.com for Partners
Online security awareness: social engineering | Booking.com for Partners
PS:
You can always contact me if you think something that has not been disclosed here would be interesting for your investigations. Everything on the blog is public information and searchable to everyone.
Have a nice day,