Hackers target weak spots in Booking.com phishing scam
Adrian Weckler
Liam Halpin is what one might typically call an experienced IT
professional. He spent most of the last two decades as a senior tech
executive in companies such as Dell, Fujitsu Siemens and LinkedIn. So
he’s not an easy guy to dupe with a regular phishing scam.
Unfortunately, what’s happening to Booking.com isn’t an ordinary scam.
The popular travel and hotel website has recently become mired in
complaints about in-app fraud and scams.
Mr Halpin, a regular traveller, recently received a message inside his
iPhone’s Booking.com app, apparently from the hotel he had booked a trip
to Spain with. The message said that his booking to Spain “might be
cancelled due to an error during verification of your payment method”.
Using the familiar font and language style that Booking.com has within
its own messaging app, it then continued with instructions.
“Usually in this case, Booking asks to verify your payment method and
confirm your identity as a holder.
“You can verify your payment method through a personal link… Booking
will charge your payment method with your reservation amount, and in a
minute will credit it back – this is your payment method verification.”
Having used the service hundreds of time before, and noting the
authoritative-sounding terminology, and being within the Booking.com app
itself, Mr Halpin complied. He was brought to an identical-looking
website with the same payment fields, website design and nomenclature.
He entered the payment details and thought that was that.
Although Mr Halpin stopped short of losing his money, he had to cancel
two separate payment cards that were connected with his phone payment
system.
He isn’t alone. Multiple reports of similar scams inside Booking.com’s
system have been publicised in Ireland and abroad.
When this newspaper contacted Booking.com about it, the travel platform
claimed that it was actually the fault of the hotel which, it claimed,
had been phished.
In this way, Booking.com argued, the scammers entered Booking.com
through the front door, using the hotel’s legitimate account. The
scammers were thus able to seemingly don most of the familiar
infrastructural norms of the Booking.com app to persuade Mr Halpin that
this was a legitimate request.
“This is likely a coordinated effort by attackers to commit fraud
against both guests and accommodation partners by targeting them with
phishing emails and is not a breach of the Booking.com backend system,”
the spokesperson said.
“We are acutely aware of the implications of such scams by malicious
third parties to our business, our accommodation partners and
unfortunately to our customers, who can fall victim to professional
scammers. We’re sorry to hear about the experience of the customer you
brought to our attention.”
IT security experts believe that this is becoming a widespread problem
now with platforms that have commercial clients who themselves deal with
individuals as customers.
“This is quite a sophisticated scam,” said Conor Flynn, managing
director of Wayston Compliance Solutions and an Irish IT security veteran.
“It focuses on compromising the service provider, which might be a hotel
or hospitality provider, often through phishing. The hackers know that
the front-end of big platforms like Booking.com are likely to be much
harder to compromise whereas smaller hospitality firms may not have the
same levels of security. The bad guys sometimes wait, monitoring
transactions until they spot an opportunity.
“So in many cases, the smaller hospitality firm may not even know that
the compromise has happened until they’re informed by their guest about
it. It’s an example of hackers being smart and targeting a weaker
security point.”
Mr Halpin, though, still believes that there is a question that
Booking.com needs to address.
“I consider it to be a data breach,” he said. “The messages were in my
[Booking.com] thread and there was knowledge of the dates and prices of
an already-booked hotel.”
In addition to cancelling the credit cards associated with his phone
payment account, Mr Halpin is now concerned as the scam got him to
re-enter his email and phone number, valuable pieces of information for
other data scams.
“At a minimum, [Booking.com] need to be warning their customers that
messages with links from a property inside Booking.com are not
trustworthy,” he said.
The Booking.com spokesperson said that customers facing similar concerns
should first check the conditions and then try customer support before
paying.
“We are constantly reviewing and improving our own robust security
controls and offering guidance and training to our accommodation
partners, and regularly remind customers that they should never share
personal details with any of our accommodation partners outside of our
platform,” the spokesperson said.
“If a customer does ever have concerns or questions about a payment
message they receive then we encourage them to check the payment policy
of the accommodation, which is easy to find on the property listing
page, or reach out to our customer service team who are available to
support 24-7.”
Irish Independent Technology
===========================================================
The fb-exchange mailing list
Manage account,
List Page: https://www.freelists.org/list/fb-exchange
Archive: https://www.freelists.org/archive/fb-exchange
To unsubscribe: log onto the List page and select "Unsubscribe".
Administrative contact: insight@xxxxxxxxxxxxxxxxxxxx
===========================================================
