top of page
  • Writer's pictureMark van Vuuren

Hotel and Travel Businesses Attacked by Cybercriminals Using Bogus Reservations

The revitalization of the tourism and travel industry in 2022 prompted hackers to target hotel businesses, travel websites, and even tourists.

The threat actor dubbed TA558 increased its activity this year, conducting phishing operations against numerous hotels and businesses in the hospitality and travel industry.

How Did the Attack Happen?

A collection of 15 distinct malware families – most of them remote access trojans (RATs) – were used by the attackers in order to obtain access to target systems, carry out surveillance, collect important information, and drain money from the customers of these companies.

The infection chain started with phishing emails written in English, Spanish, and Portuguese that were sent to organizations in North America, Western Europe, and Latin America.

The emails that were sent to the victims claimed to be from tourism agencies and other organizers, asking for information about bookings, tickets, and other details regarding the target organization. When clicking the URL contained in the email, which supposedly was a reservation link, the victim received an ISO file from a remote resource, according to BleepingComputer.

The archive contains a batch file that launches a PowerShell script which eventually drops the RAT payload onto the victim’s computer and creates a scheduled task for persistence.

After the systems of the hotel are hacked, TA558 moves deeper into the network to collect sensitive customer information and banking details, and even tamper with the business’s website so all the payments made on the site will be redirected.

But this is not the only way in which these attacks can be monetized by the attackers. They can also:

  • Make it available for sale or use the stolen credit card info

  • Sell customer PII

  • Threaten high-interest victims to expose the data

  • Sell access to the affected hotel’s system to ransomware organizations.

Who Is Behind TA558?

The hacker TA558’s activity first surfaced back in 2018, but 2022 shows a rise in its campaigns.

Just like many other cybercriminals, in 2022, TA558 changed its method and moved from using auto-macro-enabled documents to RAR and ISO file attachments or embedded URLs in the messages.

These changes may be linked to the fact that Microsoft blocked VBA and XL4 macros in Office, tools historically used by cybercriminals for loading, dropping and spreading malware using malicious documents.

This year, in most of the cases, the cargo used by threat actors was AsyncRAT or Loda, as well as Revenge AT, XtremeRAT, CaptureTela, and BluStealer, but not at a bigger scale.

For example, one 2022 operation used QuickBooks invoice baits rather than room reservations and dropped Revenge RAT exclusively.

Keep in mind that The Marino Boutique Hotel in Lisbon, Portugal, lost €500,000 in July 2022 during a cyberattack. The hotel had its account hacked, and it took the attacker only four days to get that amount of money by stealing it from the customers who were paying to reserve a room.

8 views0 comments


bottom of page