Travelers worldwide are falling victim to a rapidly spreading scam that manipulates their legitimate hotel bookings to issue fraudulent payment requests. Cybercriminals have devised a strategy to infiltrate established hotel reservation systems, deceiving guests with false pre-payment verifications.
Deceptive Messaging Tactics
The operation typically begins with a seemingly innocuous message on platforms like WhatsApp, purportedly from a hotel’s Guest Relations team. These messages, which include genuine booking details such as the hotel’s name and stay dates, add an air of credibility that many unsuspecting travelers accept as standard procedure.
The effectiveness of this scam lies in its ability to exploit familiar contexts. Unlike traditional phishing schemes, these messages do not rely on sophisticated writing styles or elaborate structures. Instead, they are grounded in authentic booking information, making them appear as legitimate customer service interactions.
Identifying the Scam
Experts Martin Chlumecký and Luis Corrons from Gen Digital have documented this threat, labeling it the ‘Reservation Hijack Scam.’ Their research highlights that the attack is not merely a travel-themed phishing attempt, but a comprehensive exploitation of authentic booking workflows.
The scam has been most prevalent in regions such as the United Kingdom, France, Germany, the United States, Brazil, and Australia. It operates on two fronts: firstly, through fake booking-platform messages guiding victims to fraudulent payment sites, and secondly, through the direct compromise of hotel management software.
Breaching Hotel Systems
The more dangerous aspect of this scam involves breaching hotel software systems like Cloudbeds. By phishing hotel employees for their login credentials, attackers gain access to real reservation data, enabling them to send fraudulent messages that are indistinguishable from genuine communications.
Once inside the system, hackers employ tactics such as the ‘Scam-Yourself Attack,’ where malicious commands are disguised as security updates, installing remote access trojans for ongoing system access. This allows attackers to send professional-looking payment requests, convincing victims to submit financial information through typo-squatted domains.
Precautionary Measures
To protect against this threat, guests are advised to avoid clicking on links requesting payment verification from unfamiliar sources. Instead, they should directly contact hotels via official websites or original booking platforms. If payment details have already been compromised, immediate action is necessary, including contacting banks and monitoring for further fraudulent activities.
For hospitality businesses, enhancing the security of guest communication channels is crucial. Implementing phishing-resistant authentication, restricting access to reservation data, and establishing robust incident response plans are essential measures to prevent credential theft and safeguard guest information.
Smaller establishments, in particular, should prioritize multi-factor authentication to mitigate the risk of staff credential compromises. By doing so, the hospitality industry can better protect its clientele from evolving cyber threats.
