Something's phishy: More holiday scam spam flung at real hotel customers Multiple customers at several hotels are getting hit up with a sophisticated phishing scam based on real hotel bookings. The latter all share the common factor of being made through Booking.com. Last week we reported how the wife of a Reg reader received a scam email after booking a family holiday in a hotel in Mallorca, Spain …
"If Booking.com had been breached, you'd expect a dump of customer details would have been posted online by now - if someone has found a way to access customer details and are keeping it to themselves in order to craft these very specific spear phishes, then this would be a rather unusual case. "
If I found a way to get this info (and I was of criminal intent), I wouldn't share it with anybody, unless they paid me. I'm old fashioned.
I would expect to see an online dump if it was a hacker going for bragging rights. I would expect it to show up for sale, just as you imply, otherwise. My understanding is that most people who are capable of breaking in and grabbing up this sort of information are more likely to sell it off as they are not necessarily set up to exploit it. It's a tried and true concept: one person performs the theft and then sells the goods.
I booked a series of flights with Emirates last year through Expedia - ever since I've been receiving Arabic spam - my assumption has been that Emirates (or their email service) is the problem, not Expedia because of the language - but had I made the booking withing the US (where I live) it would have been much less obvious where the problem originated.
Let's face it - rather than jumping on our soapboxes about this - the entire email system has been compromised by spammer and other miscreants. Expecting security from a plain text based service is the very definition on insanity but it's not going to be fixed anytime soon.
Absolutely.
I ordered two cans of spray lacquer to finish some woodwork and was deluged with 'relkated products' spam from unrelated companies for weeks.
I think the actual online billing systems are often third party and these represent a place where spammable addresses and product interest are linked up.
I have two lines of defense: One is of course disposable email addresses - which I ought to make more use of. August2014@mydomain is probably usable enough for a month.
The other is to build a blacklist of the actual envelope sender addresses. Although some companies are registering hundreds of domains a day on a 'use once throwaway' type basis many of them actually re-use the same ones. And furthermore collect bounces to delete them from their purloined lists.
Since I started doing this, things have got a lot better on my own mail server.
There are many more hotels than just two involved now and the common point is booking dot com ( BDC)
One of the Trip Advisor threads relates how the website interface used by hoteliers to access their BDC info is only protected by a 4 digit pin, so all you need is to select a hotel and try a PIN. Keep using the same PIN across multiple hotels, you'll soon enough find a valid hotel/pin combination. Thats one way they could be getting in.
This is also very targeted fraud, its not just done only by email, they are phoning out to "marks", and answering the phone to enquiries (using a supposedly BDC phone number in the email, obviously its the scammers)
So, this is a low volume operation, might only be a handful of people operating it, there is no point blasting any info gained out or selling it, each "mark" needs careful treatment, plus the fact there isnt a mass email going out pretty much proves its selective access, eg not every single BDC booking has been compromised.
IMO BDC's public response is pretty pathetic, all they have done is put out a bland email about crooks targetting credit card numbers, when its bank transfers (no doubt via mules) they are using.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
