14 DAY TRIAL // In a recent phishing case, the crooks managed to get hold of the real details of a victim’s hotel booking and then sent them an email purporting to deliver an invoice from Booking.com, the online service used for the booking.
Any bit of personal information can be useful for cybercriminals, as they can weave their story around it in order to create a lure that cannot be refused.
The Register received a sample of such an email, where the targeted tourists received an email containing accurate information about their booking for a hotel in Spain and were asked to make a payment to a bank in Poland.
The details provided by the scammer in the email were all correct and included reservation dates, hotel name, and personal information such as full name, home address and phone number.
To cover all angles and make sure that they get some money out of the scam even if the invoice was not paid, the crooks also asked for the card’s verification codes (CVV); these would help them make purchases online and then the goods can be sold at a lower price.
Furthermore, the potential victims also received a short text message, informing of the email in the inbox.
When the recipient of the fraudulent message contacted Booking.com, he or she was told that the details were most likely obtained directly from the booked hotel.
Security experts agree to this scenario, since phishing scams with information from the online booking service would be reported on the web.
“The outlook on this one right now seems to be that the hotel has been targeted in some way rather than the booking website, and likely involves social engineering,” says Christopher Boyd of Malwarebytes.
If the booking service had been targeted by an attack, they would have had the legal obligation to disclose the incident.
Another possibility would be that the computer of the target was hosting some sort of Trojan that harvested the information.
The fake email asked the victims to make the payment via wire transfer directly from the bank and then reply with a copy of the deposit into the provided bank account in Poland.
Boyd said that “this is often used in 419 / wire scams, because they’ll take the scan to the place where the money it sent and pretend to be the victim or a relative before wandering off with a tidy stack of notes.”
The general recommendation when emails about payments are received is to contact the hotel or the booking agents to learn more details.