Hackers are abusing hotel booking notifications to steal credentials in a new phishing campaign

Phishing campaign targets hotel staff using fake Expedia and Cloudbeds login pages
Attackers show deep knowledge of hospitality workflows to boost credibility
Hospitality businesses are prime targets due to constant handling of sensitive guest data

Hotels, and other similar businesses in the hospitality industry, are being targeted by an advanced, highly convincing, phishing campaign.

The goal of the attacks is to harvest usernames, passwords, and potentially multi-factor authentication tokens (MFA) from two hospitality-centric platforms: Expedia Partner Central, and Cloudbeds.

This is according to Mimecast’s Threat Research Team, and researchers Samantha Clarke and Ankit Gupta. The team discovered an ongoing campaign distributing “urgent, business-critical subject lines designed to prompt immediate action from hotel managers and staff.”

Sophisticated understanding of hospitality workflows

Usually, the email messages discuss common tracking alerts, system updates, guest booking confirmations, and partner central notifications. These are regular topics in the hospitality industry, and are generally time-sensitive. Hotels that fail to address these messages on time usually end up losing revenue.

This means that, whoever is behind this campaign, has “sophisticated understanding of hospitality workflows,” the researchers further explained. The links in the emails then redirect the victims towards malicious landing pages, designed to look identical to login pages of Expedia and Cloudbeds.

This is where the attackers capture login credentials and, potentially, 2FA codes. All of the landing pages were hosted on Vercel, they added.

Sensitive data, such as email addresses, Social Security Numbers, passport and government ID numbers, dates of birth, postal addresses, and similar, are quite valuable to cybercriminals.

They allow them to launch phishing attacks that can give them access to important services, bank accounts, and more. Businesses in the hospitality industry, on the other hand, generate this type of data constantly, making them a prime target for campaigns such as this one.

Less than a month ago, a cybercriminal managed to break into the booking system used by numerous hotels in Italy and steal highly sensitive information on thousands of guests. Before that, high-profile hotel chains, including Marriott and Hilton, all had sensitive customer data leak as part of a supply-chain attack against a partner.