In recent months, a highly sophisticated phishing attack targeting Booking.com has emerged, raising alarms among hotel managers and travelers alike. This attack, marked by its complexity and high success rate, poses significant risks to all involved. As cyber threats become increasingly advanced, it is essential to understand the methods used by these cybercriminals and to take proactive measures for protection.
The Attack Unfolds in Two Phases
The phishing attack operates in a two-phase strategy that begins with the compromise of Booking.com accounts belonging to hotel managers. By infiltrating these accounts, attackers gain access to sensitive information and communication channels, setting the stage for a broader scam.
In the second phase, these compromised accounts are leveraged to target hotel customers. Using the official Booking.com app, attackers send fraudulent messages to guests, masquerading as legitimate communications from the platform. This tactic exploits the inherent trust customers place in Booking.com, significantly increasing the chances of a successful scam.
Crafting Deceptive Domains
Central to the effectiveness of this attack is the creation of a fake domain, ‘extraknet-booking.com,’ which closely resembles ‘extranet-booking.com,’ a legitimate subdomain used by hotel managers on Booking.com. This deceptive domain is used to lure hotel managers into entering their login credentials on a counterfeit portal designed to mimic the official Booking.com interface.
Cybercriminals employ various techniques to attract victims to this fake site. From traditional spoofed emails to advanced search engine optimization (SEO) tactics, they ensure their malicious site ranks highly in search results, making it more likely for unsuspecting users to fall into their trap. Once attackers gain access to hotel manager accounts, they can seamlessly transition to targeting customers.
The Role of JavaScript Obfuscation
One notable feature of the phishing site is its use of JavaScript obfuscation. This technique involves encoding strings and employing complex scripts that obscure malicious activities, making it challenging for automated tools and researchers to analyze the code. Interestingly, evidence of Cyrillic script within the obfuscated code provides potential insights into the attackers’ geographic origins.
Exploiting Legitimate Techniques: STUN Binding Requests
Another disturbing tactic employed by these attackers is the use of Session Traversal Utilities for NAT (STUN) binding requests. Typically utilized in legitimate applications like Voice over IP (VoIP) calls, this technique is repurposed by cybercriminals for data exfiltration and maintaining communication with compromised systems. The unusual volume and port activity associated with these requests strongly suggest malicious intent.
Dynamic Cloaking: A Stealthy Approach
Dynamic cloaking represents yet another advanced technique in this phishing attack. By displaying different content to various users or systems, attackers can evade detection. The phishing site can serve either the counterfeit portal, the authentic Booking.com page, or error pages depending on specific criteria such as a user’s IP address or browser settings.
The Centralized Hub of Phishing Pages
A significant finding in this investigation was the use of an iFrame that links to multiple phishing sites targeting Booking.com and similar platforms. This iFrame acts as a central hub for distributing malicious content across various sites, providing attackers with centralized control and valuable analytics data that allow them to refine their strategies.
Conclusion: Staying Vigilant in an Evolving Cyber Landscape
The sophisticated phishing attack on Booking.com serves as a stark reminder of the evolving nature of cyber threats. Both travelers and hotel managers must remain vigilant to protect their personal and financial information from these increasingly cunning attacks.
As cybercriminals continue to refine their tactics, staying informed and cautious is paramount. Implementing robust cybersecurity measures and being aware of the signs of phishing can significantly reduce the risks posed by such threats. In this digital age, knowledge is power—being proactive can make all the difference in safeguarding sensitive information against malicious actors.