Unmasking a Sophisticated Phishing Campaign That Targets Hotel Guests

Introduction

Despite the widespread awareness of phishing, it is still one of the most successful and ubiquitous attack vectors in the vast landscape of cyberthreats. Phishing campaigns come in various forms and have continued to evolve as new potential mediums arise. From emails that impersonate banks to text messages that mimic delivery notifications to malicious code embedded into a photo of a kitten, phishing can affect anyone with access to a computer.

One of the most recently discovered delivery methods is the sophisticated infostealer that targets the hospitality industry through online booking services. A malicious actor makes a booking request, choosing the “pay at hotel” option, and sends the hotel a series of urgent and seemingly heartfelt emails with links to “photos” that are an executable infostealer.

Although this particular version was aimed at the hotels, our SecOps team has detected a second stage of this sophisticated phishing campaign, which then targets the legitimate customers of these sites.

As the holiday travel season approaches, there is no better time to be wary of this phishing method. In this blog post, we detail some of our observations and share recommendations for staying safe online. 

Attack chain

The attack chain consists of three steps: executing the infostealer, contacting the victim, and catching the victim.

Step 1: Executing the infostealer

After the infostealer is executed on the original target (the hotel), the attacker can access messaging with legitimate customers. It is often recommended that customers use only official and known methods of communication, such as various messaging platforms within the site, to prevent illegitimate or scam interactions. Unfortunately, this great advice becomes moot now that the attacker can access those methods.

Sophisticated obfuscation techniques

This downloaded script is designed to detect the victim's information and ensure that it would be difficult to analyze or understand by security analysts.This obfuscation technique speaks to the sophistication of the attacker(s) who are behind this. 

Apparently, the script uses various techniques to gather this information, such as checking the user's browser's capabilities and attributes. It then creates a data object and appears to attempt to send this data to a server using a POST request. Let’s examine a small part of the JavaScript logic that determines the redirection path.

• The first part is a self-invoking function that takes two parameters (_0x372138 and _0x55e2f4). This part includes a loop with complex mathematical calculations inside a try-catch block. It continues running until the condition !![] (which is always true) is met, suggesting that it runs indefinitely. This then allows the use of the self-invoking function within the first parameter. It declares several variables, including _0x178a26 and _0x4c868a, and defines a function _0x36fa19. 
  • This function collects various information about the browser environment, such as properties of the window and document objects, and stores this information in an object named _0x4c868a. The collected data includes information about the browser, screen, and more (Figure 3).

• The attacker added several security validations as an anti-analysis technique. If the client passes these tests, the user will be presented with a phishing site masquerading as a Booking.com payment page requesting credit card information (Figure 4).

• The attacker also implemented a smart-chat support channel to ensure the credibility of their phishing scam. 

Red flags 

• Urgent language: Phishing messages often create a false sense of urgency, compelling recipients to act hastily. In this case, the message warns of a reservation cancellation if action isn't taken within 24 hours.

• Suspicious URL: The provided link (https://booking.guest-approve[.]info/reservation/606667156) is not the official Booking.com domain.

Verification tips

• Never click on unsolicited links: Regardless of how legitimate a message may appear, it's best to avoid clicking on links in unsolicited messages.

• Contact the company directly: To confirm the authenticity of such messages, use a different official channel outside the messaging platform to contact the company, such as email or phone number provided by the original site hotel or traveling agency.

• Beware of urgent or threatening language: Be cautious of messages that create a sense of urgency or threaten negative consequences if you don't take immediate action.

• Double-check the URL: Always scrutinize URLs to ensure they match the legitimate website.

• Use reputable security software and cloud services: Protect your devices with up-to-date antivirus software. Consider utilizing high-quality cloud security services that provide advanced threat intelligence. 

Conclusion

We all have to be constantly vigilant of phishing attacks. This sophisticated scam works, but so do the much simpler scams. 

Phishing campaigns of this caliber don't come around every day. But cybercriminals are always developing new tactics to prey on unsuspecting victims. The best way to protect yourself is to be cautious and vigilant every time you get an unexpected message.

Sha256: 

1076c3e6437cab5975064c1525c516e2b1707c1f0fdc5edbadd6610e6a13d275 - attacker javascript