Cybercrime represents an ever-growing risk to businesses and organizations, with the effects ranging from data theft to operational disruption to financial loss. According to the FBI, cybercrime losses in the U.S. rose to a record $12.5 billion in 2023, a figure that comes from voluntary reports of internet crime to the agency and is likely underestimated.
The hospitality industry is one of many alluring targets for malicious hackers. The size of the industry, the volume and value of transactions and the numbers of consumers who interact with it contribute to a significant pool of potential victims. These risks become more prevalent as vacationers make bookings for the upcoming summer months. Now is an appropriate time to raise awareness about how to prevent online scams targeting hospitality providers and their customers.
Compromising the Organization
In 2023, the hospitality industry was increasingly targeted using malicious spam. Spam is dangerous in that attackers can include links to malicious software, known as malware, or malware itself to messages. If opened, those attachments can infect computers with information stealers, or infostealers. Infostealers are pervasive malware attackers used to gain access to a computer’s sensitive data, such as login credentials. Fraudsters also targeted the hospitality industry with social engineering campaigns. Social engineering refers to using deceptive methods such as impersonation to trick people into undertaking actions that are not in their best interests. In combination with spam, these two powerful methods proved successful at compromising some organizations.
Customer interactions in the hospitality industry are often brokered over online platforms, such as e-commerce websites and booking services. Hospitality-related booking platforms have increasingly been of interest to cybercriminals. Booking platforms may service a variety of vendor customers, from hotels to property owners offering short-term stays. Booking platforms sit in between these stakeholders and consumers and thus represent a rich target for attackers to infiltrate. Typically, property or accommodation providers have their own administrative panels within these booking platforms. To access administrative panels, providers log in with a username and password. Cybercriminals seek to steal or buy these credentials for these panels and misuse them.
How do malicious hackers obtain the credentials? The theft of login credentials has become its own underground cottage industry. Certain groups of fraudsters specialize in collecting credentials by distributing infostealer malware in spam and conducting phishing attacks. They then sell these stolen credentials on underground forums to other bad actors, who abuse them for fraud. These types of illegal-business-to-illegal-business transactions are referred to broadly as cybercrime-as-a-service. Specialized underground markets for illegal goods and services have fueled the overall growth in cybercrime by allowing lesser-skilled fraudsters to buy tools and services they need to execute scams and thefts but could not necessarily develop on their own.
Cybercriminals have also compromised hotel providers by pretending to be legitimate guests and making reservations. The ploy works like this: after receiving a booking confirmation, they start a dialog with the hotel staff. When the hotel responds, attackers proceed with a carefully crafted follow-up email purporting to offer information such as identity documents that are available through a link that is included in the email. The link, however, leads to a file that, if opened, is actually infostealer malware. The infostealer, which works silently in the background, then begins collecting login credentials, which the fraudsters use to unlock the administration panel. Antivirus software programs often do not catch infostealers, as malware developers engineer infostealers to avoid raising security alarms.
Once the threat actors gain access to the credentials, they log in to the hotel's reservation portal. This access provides them with visibility into all current room or holiday reservations made by customers along with some personal information. Then, the attackers target the customers who have existing bookings. They use an organization’s legitimate email account or mobile application to pose as legitimate hotel administrators. In one type of fraud, attackers may request a confirmation of payment details for upcoming stays. These messages are sent from inside the real booking platform, adding a veneer of legitimacy that makes it more likely the victims will be fooled. In observed examples of this type of attack, the attackers have included a link to a phishing page. The phishing page is already pre-filled with the victim’s exact personal details, including their full name, stay duration and hotel information. This once again provides false assurance to the victim that a request is legitimate. If a victim enters their credit card or other financial data, it is sent straight to the fraudsters, who then quickly attempt to monetize the stolen details.
Defense Tips for the Hospitality Industry and Consumers
Amid the complex cyber threats facing the hospitality industry, especially those involving booking platforms, it is imperative for both industry professionals and customers to implement strong security practices. Hospitality sector professionals and customers would be wise to follow these seven key recommendations:
- Strengthen email security: Invest in advanced email filtering and security measures to identify and thwart emails that may be phishing attempts. Ensure these systems are updated regularly to keep up with new cyber threats.
- Engage in regular cybersecurity training: Provide ongoing, thorough cybersecurity training for all staff members. This is the best preventive step, since employees are less likely to mistakenly install malware if they recognize suspicious behavior. Emphasize the importance of recognizing phishing emails and reporting them. Encourage a “no blame” atmosphere even if someone has mistakenly clicked on one, as early reporting can allow security teams to investigate.
- Maintain strong password policies: Ensure that users are capable of creating strong, unique passwords that they have not used before on other systems.
- Utilize multifactor authentication (MFA): MFA should be used for accounts that can access administrative portals. MFA takes a variety of forms, but usually involves entering a time-sensitive code that is generated by an external application. Attackers have developed sophisticated ways of tricking users into revealing these codes, but it still remains one of the best ways to prevent attackers from gaining control of accounts for which they’ve obtained login credentials. A step up from MFA are hardware tokens, which are USB keys that must be inserted into a computer before logging in to a service and are highly phishing resistant.
- Monitor and control network access: Employ network monitoring tools to detect unusual activities, such as unexpected login attempts into administration portals. If hotel employees are in California but someone accesses an account in the middle of the night from Poland, that could be a sign that an account has been taken over. Also monitor for large data transfers, which could indicate attackers stealing data.
- Monitor underground markets: Cybercriminals who sell login credentials use underground online markets to sell their wares. Monitoring these markets and collecting intelligence in order to understand if your brand is being targeted can give information technology (IT) security teams a heads up that credentials or accounts may be compromised.
- Examine processes for security improvements: Threat actors perform reconnaissance and often understand a targeted organization’s internal procedures as well as or better than the customer service representatives who work there. They’re looking for security weaknesses that may give them an advantage. Examining those procedures and thinking about how an attacker might abuse them can result in process improvements that lead to better security outcomes.
Maintaining robust defenses against cybercriminal activity in the hospitality sphere is an ever-evolving challenge. Hospitality security teams must be agile, as malicious hackers quickly capitalize on weaknesses. While it is impossible to stop all attacks, it is possible to become more resilient by understanding current trends in the threat landscape. By using cyber threat intelligence and conducting threat hunting, hospitality security teams can minimize cybersecurity risks, preserve their organizations’ reputations and stay focused on addressing revenue and business growth.
Micheal DeBolt is chief intelligence officer at Intel 471.