An October 2023 attack investigated by Secureworks® incident responders involved deployment of the Vidar infostealer to steal a hotel's Booking.com credentials. Access to the Booking.com management portal (admin . booking . com) allows the threat actor to see upcoming bookings and directly message guests. This incident is likely part of a broader and widely reported campaign. Vidar is not usually used in targeted attacks, but the demand for these types of credentials on underground forums could increase the frequency and impact of this type of malicious activity.
Secureworks incident responders noted that the threat actor initiated contact by emailing a member of the hotel's operations staff. The sender claimed to be a former guest who had lost an identification document (ID), and they requested the recipient's assistance in finding it (see Figure 1). The email did not include an attachment or malicious links, and it was likely intended to gain the recipient's trust. With no reason to be suspicious, the employee responded to the email and requested additional information to assist the sender.
Figure 1. Spearphishing email socially engineering a hotel employee. (Source: Secureworks)
Later that week, the threat actor sent another email about the lost ID. The sender identified the document as a passport and stated that they strongly believed they left it at the hotel (see Figure 2). They included a link to a Google Drive URL that allegedly hosted photos of the passport and their check-in details to help the hotel staff find the document. Despite the typo ('quest' rather than 'guest'), the language in the message was a better standard of English than average phishing emails. According to public reports, almost identical emails containing a Google Drive URL were sent to other victims of this campaign.
Figure 2. Follow-up email containing a Google Drive link. (Source: Secureworks)
When the recipient clicked the link in the email, a ZIP archive file (photo_2023-09-01_13-21-32.zip) was downloaded to the computer's desktop. Microsoft Defender identified a file within this archive (photo_2023-09-01_13-21-32.scr) as the Vidar infostealer. Microsoft Defender detected multiple failed execution attempts before the malware finally executed.
The contents of the ZIP file were not available for analysis, and the Google Drive URL listed in the email returned a 404 error page. However, a search of the VirusTotal analysis service revealed multiple ZIP samples with the same name. One of these files was modified and uploaded to VirusTotal on the same day as the initial phishing email analyzed by Secureworks incident responders. While it is possible that this file is not related to this incident, the filename and modification date strongly suggest that it was used in the same campaign.
Secureworks Counter Threat Unit™ (CTU) researchers analyzed the contents of this file and confirmed that it is the Vidar infostealer. This Vidar sample is configured to only steal passwords. The configuration file also indicated the use of Steam and Telegram accounts to host command and control (C2) information (see Figure 3). Steam and Telegram are common platforms for hosting infostealer C2 infrastructure. In a January 2023 intrusion, Secureworks incident responders observed the platforms hosting Vidar C2 infrastructure.
Figure 3. Configuration of the analyzed Vidar sample. (Source: Secureworks)
The Telegram account listed in the October 2023 sample was not available at the time of analysis, so Secureworks incident responders could not determine what IP addresses may have been hosted there. However, the Steam profile contained four C2 IP addresses:
- 168 . 119 . 243 . 238
- 128 . 140 . 102 . 206
- 116 . 203 . 167 . 36
- 78 . 47 . 20 . 171
The day after the malware was executed, a hotel employee observed that multiple messages had been sent to upcoming guests from the hotel's Booking.com account. Several hours later, hotel customers started to complain that money had been taken from their accounts. The threat actor likely deployed Vidar to steal the property’s Booking.com credentials and then abused them to access the account. The hotel did not enable multi-factor authentication (MFA) on its Booking.com access, so logging into the account with the stolen credentials was easy.
It is also likely that this activity is part of a broader fraud campaign targeting Booking.com customers and properties. Customers of multiple properties received email or in-app messages from Booking.com that purported to be from hotel owners requesting confirmation of payment details for upcoming stays. The threat actors directed the victims to malicious URLs for inputting the information, and then used the details to withdraw money from the victims' accounts.
This activity originally appeared to suggest that Booking.com's systems were compromised. However, the observations by Secureworks incident responders indicate that threat actors likely stole credentials to the admin . booking . com property management portal (see Figure 4) directly from the properties and used the access to target the properties' customers.
Figure 4. Property management portal at admin.booking.com. (Source: Secureworks)
Access to this portal would allow the threat actor to see all upcoming bookings and directly message customers. These messages would appear legitimate, sent via the Booking.com app or as emails from <noreply @ booking . com>. The sense of legitimacy increases the likelihood that recipients will comply with the requests.
As far back as March 2023, two hotels posted messages on Booking.com's partner support hub reporting that the official messaging mechanism was abused to defraud their customers. In August 2023, a third hotel contributed to the thread by including the contents of a message used to target one of its customers (see Figure 5). Similar messages about verifying credit card details were sent to other hotels' customers during the October 2023 campaign.
Figure 5. Message used to defraud hotel customers in August 2023. (Source: Secureworks)
CTU™ researchers have observed a high demand on underground forums for Booking.com property credentials. Some threat actors have requested infostealer logs that include credentials for the admin . booking . com property management portal while others have offered to sell logs and associated services such as log checking and parsing.
On October 5, an underground forum user known as 'cocok' offered to pay more for logs featuring admin . booking . com credentials than other potential buyers (see Figure 6).
Figure 6. Offer to buy admin . booking . com logs. (Source: Secureworks)
On October 10, 'Robertraian' also sought login credentials for the Booking.com property management portal, offering $30 to $2,000 USD per valid log with additional incentives for regular suppliers (see Figure 7). Emphasizing quick processing of logs assures sellers that they will receive fast payment, as payment only occurs after verification is complete. Mentioning the use of proxies for manual checks and noting a readiness to handle large volumes of data highlights that the threat actor is experienced and will not render the logs useless by exposing the credentials in the verification process.
Figure 7. Offer to buy admin . booking . com credentials under specific terms. (Source: Secureworks)
In April 2023, a user known as 'ParanoidChecker' on a forum dedicated to infostealer logs advertised a service that checks logs to find credentials for various platforms and accounts and then tests if the credentials work. It allegedly works for logs obtained from platforms such as Facebook Adsmanager, Google Accounts, Gpay, and Discord. The price ranges from $15 for one week to $170 USD for six months. On October 31, ParonoidChecker updated the service to specifically look for and check the validity of admin . booking . com credentials in logs (see Figure 8).
Figure 8. 'ParanoidChecker' announcing updates to a log parsing and checking service for admin . booking . com credentials. (Source: Secureworks)
The flourishing market for Booking.com credentials to commit fraud suggests that threat actors will continue to target properties that use the platform. The lists of properties on the Booking.com website and in the app can allow threat actors to identify potential targets. Exploiting stolen property credentials to communicate directly with guests facilitates the social engineering attacks. The phishing messages are likely more convincing than most campaigns given the high quality of the English and the plausibility of the lure.
The use of Vidar in a targeted campaign is unusual. As with most infostealers, it is typically deployed indiscriminately to harvest credentials from web browsers. The logs are then sold in bulk on dedicated underground marketplaces. However, Vidar is offered as a malware-as-a-service (MaaS) operation, so any threat actor can rent it for their own purposes.
CTU researchers recommend that organizations in the hospitality vertical make employees aware of this campaign and remain vigilant about identifying and mitigating social engineering attacks. Implementing MFA on Booking.com accounts would likely thwart most unauthorized attempts to access the property management portal. Individual customers should be wary of emails or app messages requesting payment details, as they may not be legitimate.
To mitigate exposure to this malware, CTU researchers recommend that organizations use available controls to review and restrict access using the indicators listed in Table 1. Note that IP addresses can be reallocated. The IP addresses and URLs may contain malicious content, so consider the risks before opening them in a browser.
Indicator | Type | Context |
---|---|---|
168.119.243.238 | IP address | Vidar infostealer C2 server in Booking.com campaign |
128.140.102.206 | IP address | Vidar infostealer C2 server in Booking.com campaign |
116.203.167.36 | IP address | Vidar infostealer C2 server in Booking.com campaign |
78.47.20.171 | IP address | Vidar infostealer C2 server in Booking.com campaign |
https://t.me/cahalgo | URL | Hosted Vidar infostealer C2 server details in Booking.com campaign |
https://steamcommunity.com/profiles/76561199560322242 | URL | Hosted Vidar infostealer C2 server details in Booking.com campaign |
Table 1. Indicators for this threat.
Read more about infostealers and other threats in the 2023 State of the Threat report. If you need urgent assistance with an incident, contact the Secureworks Incident Response team.