Booking.com was fined €475,000 for delaying the reporting of a data breach that affected the personal data of thousands of users. Booking.com was informed of the breach on January 13, 2019, but did not report it until February 7.
In November 2023, Booking.com confirmed a phishing attack that raised concerns about a possible data breach. Security researchers discovered a multi-step campaign where hackers breach the systems of hotels and booking sites.
Compromised computers can reveal hotels’ credentials for accessing Booking.com. This allows hackers to pretend to be hotel staff.
Booking.com will send a verification code to your mobile device if your username and password are compromised. You must submit the code before you can access your account.
The cyberattackers deployed Vidar infostealer to gain access to a hotel’s Booking.com management portal, the investigation by SecureWorks revealed. Hackers tricked the hotel staff into downloading Vidar by sending an email pretending to be from a former guest who had left a passport in their room.
Typically, the email included a Google Drive link, allegedly containing images of the passport. The hackers use this information to directly message the customers and trick them into paying money to them instead of to the hotel.
However, the link downloads the malware, which steals the information needed to access Booking.com. Once the hackers log on to the booking.com website, they are able to access information about customers who have hotel or holiday reservations.
“This activity originally appeared to suggest that Booking.com’s systems were compromised. However, the observations by SecureWorks incident responders indicate that threat actors likely stole credentials to the admin.booking.com property management portal directly from the properties and used the access to target the properties’ customers,” the SecureWorks blog said.
The hackers are “making so much money in their attacks that they are now offering to pay thousands to criminals who share access to hotel portals,” the BBC report said.
This cyberattack may be part of a bigger fraud campaign against Booking.com’s partners. Singapore-based The Straits Times recently revealed that at least 30 people who had made hotel bookings on Booking.com ended up losing a total of $41,000.
Typically, they received fraudulent links asking them to reveal their crucial personal and banking details, including credit card details and one-time passwords. Some victims were also asked to make payments on fraudulent links.
Vidar is primarily used as an infostealer and is usually typically delivered via email. SecureWorks concedes that the use of Vidar in a targeted campaign is rare.
It is usually used to collect financial and sensitive data from the infected machine, including account credentials, credit card data, and browser history. This information is then sold in the market. It is also available as a malware-as-a-service to malicious elements to carry out their operations.
A key reason for the success of this attack is that Booking.com has not enabled multifactor authentication (MFA), which makes it easy for the threat actors to log into the account with the stolen credentials.
“Implementing MFA on Booking.com accounts would likely thwart most unauthorized attempts to access the property management portal,” the SecureWorks blog said.
However, it is debatable if MFA would have been enough to prevent attacks. Last year, the Microsoft Detection and Response Team (DART) revealed that as a growing number of organizations have started adopting MFA as a proactive measure to prevent cyber-attacks, malicious elements have started using token theft to circumvent this.
“By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly,” the Microsoft blog said.
Organizations must adopt the latest security measures and educate their users to mitigate the growing threat of cyberattacks.
