Netherlands-based online travel agents Booking.com has admitted that it has had to compensate customers who have fallen victim to a sophisticated phishing attack.
Victims were targeted with bogus emails demanding prepayments on their bookings. One target described the emails she received: “They had everything like the reservation number, names of guests and the logos looked accurate”.
The method criminals used to gather reservation details hasn’t been confirmed, but vice-president of security research at Trend Micro, Rik Ferguson, did some digging. By registering as a fictitious hotel, he found you could access the system with a log-in and password.
If a criminal were to get hold of these log-in details, they’d then be able to access the data needed to run a sophisticated phishing campaign, such as the one that has just been uncovered.
One target, Claire Coldwell, used Booking.com to book hotel rooms for a trade fair.
Claire booked the rooms under the impression that she would not be expected to pay until the end of her and her colleagues’ stay, but Claire received emails and calls that had other plans. “I got an email supposedly from Booking.com saying that, because of the unusually high demand for those dates, the Hilton had taken the decision to ask for prepayment in full for the whole week.”
Claire then received an email purportedly from the Hilton requesting the same thing: “They had everything like the reservation number, names of guests and the logos looked accurate.”
Claire became suspicious of these emails, and a mistake in the email led her to call Booking.com, who told her she’d been the target of a phishing attack. Claire’s suspicions saved her organisation £3,000.
Talking about Booking.com’s security, Rik Ferguson said, “With a site like Booking.com, the fact that they deal with millions of people’s personal and financial information means they should be taking the utmost care in protecting the access to this information. If it’s just a simple user name and password, that’s not the utmost care.”
He’s right. If the only control that’s keeping criminals away from confidential information is a username and password, then there’s a problem. In most cases, a username and password is sufficient, but these credentials aren’t being used by Booking.com employees who have received information security awareness training. They’re being used by hotel employees, who may not have had similar training – meaning they’re more likely to fall for phishing attacks that capture their login details, thus leading to an even larger scale attack.
The dangerous employee
An attack similar to the above can all stem from one person opening an email that they shouldn’t. Can you be 100% sure that none of your employees would fall for a sophisticated phishing attack?
If you’re assessing the overall information security posture in your organisation, you’ll be interested IT Governance’s Combined Infrastructure and Web Application Penetration Test.