Man
Professional
- Messages
- 3,222
- Reaction score
- 815
- Points
- 113
A new OSINTMATTER report has revealed a sophisticated phishing campaign targeting Booking.com, a leading online travel reservation platform. This attack uses a multi-phase approach, beginning with compromising hotel managers’ accounts and culminating in scamming hotel customers directly through the app.
Initially, attackers gain access to hotel managers’ Booking.com accounts, infiltrating systems that manage customer reservations and transactions. In the second phase, they scam hotel guests through the official app. This dual approach has made the scam highly effective, with significant consequences for both the industry and customers.
Central to this operation is the cleverly disguised domain “extraknet-booking.com”, mimicking the legitimate “extranet-booking.com” used by Booking.com hotel managers. By subtly altering the domain name, attackers have successfully deceived even vigilant users, directing them to a fake portal that resembles the genuine Booking.com interface.
This fraudulent portal was designed to harvest sensitive information, including login credentials and financial details. Attackers employed a range of tactics, from spoofed emails to SEO poisoning techniques, manipulating search results to make malicious sites appear legitimate.
A standout feature of this phishing site is its use of JavaScript obfuscation to obscure malicious code and evade detection. The obfuscation involved encoding a string using parseInt, making analysis difficult. When decoded, this string revealed “загружено” (loaded) in Cyrillic script, hinting at possible ties to Russian-speaking regions.
Further analysis of the JavaScript files linked “extraknet-booking.com” to dozens of other malicious sites associated with the Ninja Trojan malware, which enables multiple operators to control compromised systems simultaneously.
Another critical element uncovered was 238 STUN (Session Traversal Utilities for NAT) binding requests to domains tied to open WebRTC VoIP services. While STUN requests are legitimate in VoIP applications, the unusual volume and non-standard port usage here suggest malicious intent, such as data exfiltration or covert communication with compromised systems.
One contacted STUN server, “stun.usfamily.net”, had been flagged as compromised, raising further suspicions about the attackers' activities. This use of STUN aligns with previous research showing how attackers exploit new protocols to hide malicious traffic within legitimate services.
The phishing site also employed dynamic cloaking techniques, enabling it to present different content based on user profiles. Factors like IP address and browser settings determine whether users see the fake portal, the genuine Booking.com page, or error messages, complicating detection efforts for security researchers.
This cloaking mechanism effectively shields the phishing operation, making it hard for investigators to uncover the scam's full extent. Tests on various virtual machine configurations showed how the site could deliver varied responses, from timeouts to full access to the phishing portal, depending on the conditions met.
Initially, attackers gain access to hotel managers’ Booking.com accounts, infiltrating systems that manage customer reservations and transactions. In the second phase, they scam hotel guests through the official app. This dual approach has made the scam highly effective, with significant consequences for both the industry and customers.
Central to this operation is the cleverly disguised domain “extraknet-booking.com”, mimicking the legitimate “extranet-booking.com” used by Booking.com hotel managers. By subtly altering the domain name, attackers have successfully deceived even vigilant users, directing them to a fake portal that resembles the genuine Booking.com interface.
This fraudulent portal was designed to harvest sensitive information, including login credentials and financial details. Attackers employed a range of tactics, from spoofed emails to SEO poisoning techniques, manipulating search results to make malicious sites appear legitimate.
A standout feature of this phishing site is its use of JavaScript obfuscation to obscure malicious code and evade detection. The obfuscation involved encoding a string using parseInt, making analysis difficult. When decoded, this string revealed “загружено” (loaded) in Cyrillic script, hinting at possible ties to Russian-speaking regions.
Further analysis of the JavaScript files linked “extraknet-booking.com” to dozens of other malicious sites associated with the Ninja Trojan malware, which enables multiple operators to control compromised systems simultaneously.
Another critical element uncovered was 238 STUN (Session Traversal Utilities for NAT) binding requests to domains tied to open WebRTC VoIP services. While STUN requests are legitimate in VoIP applications, the unusual volume and non-standard port usage here suggest malicious intent, such as data exfiltration or covert communication with compromised systems.
One contacted STUN server, “stun.usfamily.net”, had been flagged as compromised, raising further suspicions about the attackers' activities. This use of STUN aligns with previous research showing how attackers exploit new protocols to hide malicious traffic within legitimate services.
The phishing site also employed dynamic cloaking techniques, enabling it to present different content based on user profiles. Factors like IP address and browser settings determine whether users see the fake portal, the genuine Booking.com page, or error messages, complicating detection efforts for security researchers.
This cloaking mechanism effectively shields the phishing operation, making it hard for investigators to uncover the scam's full extent. Tests on various virtual machine configurations showed how the site could deliver varied responses, from timeouts to full access to the phishing portal, depending on the conditions met.
