Cybercriminals Leverage Hijacked Booking.com accounts for Phishing
I recently heard about a wave of scams exploiting Booking.com users. So I went and researched it for myself. I came across a post on the r/travel subreddit about such an incident. [1]
The user received a seemingly authentic message with a URL via Booking.com's app. They provided their credit card information and said that “within mere minutes of this, an attempt was made to use [their] credit card for an online purchase.”
As others pointed out on Reddit, the most likely scenario here is that the hotel's account with Booking.com has been compromised, or the hotel's own email account was compromised.
I then looked up the phishing site sent via the Booking.com in-app messaging system in VirusTotal to find the IP address and checked that in URLscan. As I imagined, the offending IP address had a bunch of other Booking.com phishing domains that resolved to it. This revealed a widespread campaign. [2, 3]
Further research on this topic will led me to a recent Secureworks blog about threat actors taking it to the next level by stealing Booking.com hotel admin credentials using a well-known Infostealer malware called Vidar. My colleague Tas also recently wrote a blog for Curated Intel on this topic as well. Other open-source blogs have also covered these campaigns in-depth. [4, 5, 6]Unfortunately, this seems like a highly successful online scam. It is leveraging an in-app communications channels and taking advantage of poor security practices by small businesses to exploit the business-to-customer (B2C) relationship. And unfortunately if Booking.com does not address this issue directly, customers may avoid them for safer experiences.
Indicators of Compromise (IOCs):
References:
- https://www.reddit.com/r/travel/comments/163icx6/urgent_warning_phishing_through_bookingcoms
- https://www.virustotal.com/gui/domain/booking.id24144379.date/detection
- https://urlscan.io/ip/91.215.40.30
- https://www.secureworks.com/blog/vidar-infostealer-steals-booking-com-credentials-in-fraud-scam
- https://www.curatedintel.org/2023/12/curated-intel-threat-report-multi.html
- https://g0njxa.medium.com/un-booking-a-scam-8f8058eb7200
Popular posts from this blog
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail. In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
I'm surprised this is my first blog of 2023, but I have been more busy than usual. My work at the Equinix Threat Analysis Center (ETAC) has been very engaging and when I'm not chasing cyber bad guys with ETAC I'm writing down how to do it as I'm developing SANS FOR589: Cybercrime Intelligence . While researching packers and crypters (that are used to obfuscate malware code, like VMProtect or UPX), I came across a site in the search results billing itself as a generic "FUD Crypter" as-a-Service type offering (FUD = Fully Undetectable in cybercriminal lingo). The website "fudcrypter[.]io" is still online and looks pretty amateurish to me and was ripe for investigating. Figure 1: Screenshot of the FUD Crypter website I navigated around the site and hovered over some of the buttons and found redirects to another website called "data-encoder[.]com". This second site, however, was offline at the time I tried to visit it. But using a coveted CTI
文章来源: https://blog.bushidotoken.net/2023/12/cybercriminals-leverage-hijacked.html
如有侵权请联系:admin#unsafe.sh