Cybercriminals have launched a sophisticated phishing attack targeting Booking.com, one of the world’s leading online travel platforms.
This attack, characterized by its complexity and high success rate, has been evolving over the past year, posing significant risks to hotel managers and customers.
This article delves into the intricacies of the attack, highlighting the methods used by cybercriminals and offering guidance on how to protect against such threats.
The Attack’s Two-Phase Strategy
The phishing attack unfolds in two primary phases. First, the attackers compromise the Booking.com accounts of hotel managers. This initial breach allows them to gain access to sensitive information and communication channels.
In the second phase, the attackers exploit the compromised accounts to scam hotel customers through the official Booking.com app, as reported by osintmatter.
Fake Domain
This dual-phase strategy has proven highly effective, making it one of the most profitable scams in the cyber threat landscape.
The attackers begin by registering a deceptive domain, ‘extraknet-booking.com,’ which resembles ‘extranet-booking.com,’ a legitimate subdomain used by Booking.com hotel managers.
The attackers trick hotel managers into entering their login credentials by creating a fake portal that mimics the official Booking.com interface. This allows the cybercriminals to harvest sensitive information, including personal and financial data.
The attackers employ various techniques to lure victims to the fake site, from traditional spoofed emails to advanced SEO poisoning.
By manipulating search engine optimization, they ensure their malicious site ranks highly in search results, attracting unsuspecting users.
Once the attackers access hotel manager accounts, they move on to the second phase: targeting hotel customers.
Using the official Booking.com app, they send fraudulent messages to guests, often under the guise of legitimate communication. This method capitalizes on customer trust in the platform, increasing the likelihood of successful scams.
JavaScript Obfuscation
One of the standout features of the phishing site is its use of JavaScript obfuscation. By encoding strings and using complex scripts, the attackers make it difficult for automated tools and researchers to analyze the code.
Phishing site
This obfuscation not only conceals malicious activities but also hints at the attackers’ possible geographic origins, as evidenced by the use of Cyrillic script in the code.
STUN Binding Requests
The attackers also utilize Session Traversal Utilities for NAT (STUN) binding requests to facilitate peer-to-peer communication.
This technique, typically used in legitimate applications like VoIP calls, is repurposed by attackers to exfiltrate data and maintain communication with compromised systems. The unusual volume and port usage of these requests suggest malicious intent.
STUN Binding Requests
Dynamic Cloaking
Dynamic cloaking is another advanced tactic used in this attack. The attackers can avoid detection by showing different content to different users or systems.
The phishing site serves either the fake portal, the genuine Booking.com page, or error pages based on specific conditions, such as the user’s IP address or browser settings.
Phishing Portal
A significant discovery during the investigation was using an iFrame linking to numerous phishing pages targeting Booking.com and similar sites.
This iFrame is a central hub that distributes malicious content across multiple sites. It provides attackers with centralized control, a broad reach, and valuable analytics data, allowing them to optimize and refine their attack strategy.
This sophisticated phishing attack on Booking.com highlights the evolving nature of cyber threats and the need for robust cybersecurity measures. Travelers and hotel managers alike must remain vigilant and take proactive steps to protect themselves.
As cybercriminals continue to refine their tactics, staying informed and cautious is crucial to safeguarding personal and financial information.
