MGM and Caesars-like phishing campaign continues targeting luxury hotels

Luxury hotels remain the major target of a “well-crafted and innovative” social engineering campaign, cybersecurity experts warn.

The hospitality industry is still “very at risk” of phishing tactics that were used to breach casino giants MGM Resorts International and Caesars Entertainment, according to a new report from Cofense Intelligence.

Luxury hotel chains and resorts are primary targets of the “active and ongoing” phishing campaign, with 85% of emails linked to it dated within the last 60 days as of September 22nd, the report said.

“The campaign employs the use of reconnaissance emails and instant messages to bait hospitality email addresses into a response, similar to social engineering tactics seen in the MGM and Caesars attacks,” Cofense said.

Threat actors use non-malicious bait emails to check whether the address is live and responsive. After initiating a conversation, they follow up with a phishing email that contains malware capable of deploying ransomware after infecting the host.

“Overall, the campaign uses several tried-and-true methods to bypass email security infrastructure which puts targets at risk of sophisticated information stealer malware like RedLine Stealer, Vidar Stealer, Stealc, and others,” Cofense said.

The phishing emails mostly use Google Drive, but also Dropbox, Discord, and other trusted domains within malicious URLs, as well as password-protected archives and executable files to disrupt email security analysis and secure email gateways.

“I would like to book a room”

The lures used in both the reconnaissance and phishing emails match and are well thought out, which makes them particularly successful in reaching their intended targets, according to the report.

The emails are crafted to look like regular inquiries common in the sector, including booking requests, reservation changes, and special requirements.

“The lures all warrant some sort of response from the targeted hospitality organization and are most likely very similar to what the employee is accustomed to seeing,” Cofense said.

In one example provided in the report, threat actors targeted a reservation email address posing as a customer with a special medical request.

It read: “I found your hotel on the internet and I would like to book a room for [two] people. Do you have free dates October 20-28? I will be staying with me and my little daughter, who has cerebral palsy.”

Real-life example of bait email. Image by Cofense

Upon receiving a response, cybercriminals followed up with a phishing email. It maintained story continuity but also contained a malicious link to a password-protected archive.

The email read: “I also want to say that my daughter is very allergic to detergents, I will send you a file from our doctor, please check if it has the same products as yours and reply to me.”

Real-life example of phishing email. Image by Cofense

In this particular case, the link, hosted on a trusted domain, would lead to a password-protected archive that contained the Vidal Stealer malware.

Las Vegas fallout

The campaign uses unique lures and is “highly sophisticated” from reconnaissance emails all the way to the malicious payload, according to Cofense.

MGM and Caesars have recently fallen victim to a cyberattack using similar social engineering tactics. Criminals knocked out MGM’s systems across all of its 31 resorts, while Caesars paid millions of dollars in ransom to the attackers.

Both attacks were reportedly carried out by a hacker gang made up of US and UK-based individuals variously called Scattered Spider, Roasted 0ktapus, UNC3944, or Storm-0875.

The gang is believed to be primarily motivated by monetary gain and does not seem to focus on intelligence gathering. Despite being relatively new, its social engineering attacks are very mature, cybersecurity expert Steven Erwin told Cybernews earlier.

“Their social engineering techniques are very sophisticated, and they are known for voice phishing help desks, call centers, and even security operations centers (SOCs) to gain initial access,” Erwin said.

More from Cybernews:

DJI Mavic 3 drone manuals abused to deliver malware

AI models set to become a hundred times more efficient with lasers

Spotify will not completely ban AI-created content

Francesca’s nightmare: women’s boutique hacked

US Space Force considers joint hotline with China

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked