Hotels targeted with “inhospitality” campaign


Cybercriminals are targeting the hotel industry with social engineering campaigns during the holiday travel season.

The security firm Sophos has identified a phishing campaign targeting hotels worldwide with password-stealing malware.

According to researchers, cybercriminals are sending out emails with complaints to hospitality workers about service problems or requests for information to gain their trust. They then target their victims with malicious links.

The fraudulent emails are either complaints about issues that the sender claims to have experienced in a recent stay or requests for information to help with a potential future booking.

The creatively crafted complaints vary, including things like diseases, allergic reactions to cleaning products, suspicions of poisoning, stains in rooms, insects on furniture, items being left behind or stolen, requests for accommodations for guests with limited mobility or technology access, and reports of rude, violent, or bigoted behavior by staff towards guests.

When a hotel representative responds to the initial inquiry seeking additional information, the threat actor replies with a message containing links to documentation supporting their claims or requests.

The links point to public cloud storage services, such as Google Drive, Mega.nz or Dropbox, and the body of the message contains a password. However, the so-called "documentation" is, in fact, a malware payload concealed within a password-protected archive file.

Victims are directed to public cloud storage services like Google Drive. The email body includes a password that the recipient is instructed to use for opening the downloaded Zip or Rar archives.

Like many successful malspam campaigns,​​ these messages are designed to manipulate emotions and exploit the target's willingness to provide assistance.

In one example, a threat actor asked hotel employees for help locating a camera they had left in a room, which contained photos of a recently deceased relative.

In another example provided by researchers, the threat actor emailed a hotel, claiming they had booked rooms for a family member with a disability but had to make arrangements and attach medical recommendations.

According to Sophos, the same methodology was used in the months leading up to the US federal tax filing deadline in April 2023, targeting tax firms.



Leave a Reply

Your email address will not be published. Required fields are markedmarked