How do cybercriminals carry out fraud in the tourism sector?

Malicious actors employ social engineering techniques and malware to carry out fraud in the tourism sector and defraud travelers

In recent weeks, multiple travel industry scams have been made public that feature similar methodologies and have occurred in different parts of the world. Criminals combine phishing techniques and malware to attack hotels and travel agencies, obtain their access credentials to the leading travel booking platforms (Booking, Expedia, eDreams, Hoteles.com…), impersonate them and defraud travelers who have made a reservation, again using social engineering techniques.

Thus, this type of fraud in the tourism sector affects, in different ways, three types of actors:

• Hotels and travel agencies. Criminals seek to get hold of their reservation lists and their access credentials to the platforms they work with.
• Travel booking platforms. In a way, we could say that they are the necessary means for fraud in the travel industry to succeed because they are the mediators between hotels and their customers.
• People who book a hotel room. The criminals’ ultimate goal is to defraud end users by impersonating the hotel or the platform to send a message to the customer offering a discount if they pay for the room immediately.

Although travelers suffer direct economic damage, there is no doubt that fraud in the tourism sector undermines the reputation of the companies that are affected and poses an increasingly relevant threat to a key industry in many countries and a critical one in the case of Spain, where tourism generates millions of jobs and wealth.

In this article, we will unravel the keys to fraud in the tourism sector, increasingly sophisticated attacks using technology and psychology to defraud thousands of people at the most eagerly awaited time of the year: their vacations.

1. Selection of fraud targets in the tourism sector

The basis of fraud in the tourism sector is based on hotel companies and travel agencies. Why? These companies are the primary targets, even if they are not the direct victims of economic fraud.

The tourism ecosystem is vast and complex. In countries like Spain, there are thousands of hotels and travel agencies, and we can find from robust international hotel chains to small hostels that have been digitized to survive. Some companies have their booking systems integrated into their websites, but the overwhelming majority also offer services on the leading travel booking platforms.

As in most businesses, in tourism, the main asset of a company is its client list or, in this case, its booking list. And that is precisely what malicious actors are looking for.

Thanks to the reservation list, they can attack the weakest link in the chain: the end customers of hotels and travel agencies.

This is why the target of the criminals are the professionals who manage the reservations within the companies. After all, for the attack mentioned above, it is of little use for a criminal group to launch a phishing campaign against a hotel professional if he does not have the list of reservations or the access credentials to the reservation platforms on his computer.

What kind of companies are targeted? No hotel or travel agency, even if its turnover or size is small, can feel safe. Today, with cybercrime growing in number, complexity and impact, it is critical to keep security in mind. However, there are two key factors that criminals consider when planning fraud in the travel industry: lack of personalization and cost/benefit ratio.

1.1. Lack of customization

In the case of small hotels, communication between them and their customers is more likely to be direct and close, which hinders the success of a phishing campaign because the visitor may realize that a message sent, theoretically, by the hotel is not absolute and suspect that he is being deceived. In addition, if they doubt the credibility of a message, they are more likely to immediately contact the business through an email account they know to be genuine or by calling directly.

On the other hand, in the case of larger hotels, communication is impersonal, managed through intermediaries and carried out through various channels: email booking platform application…

Therefore, if the customer receives a message through various channels that appears genuine, he is less inclined to mistrust it.

1.2. Cost/benefit ratio

The cost/benefit ratio is essential in the business world and fundamental for cybercriminals. In this regard, malicious actors assess the complexity of successfully attacking a company and weigh it against the potential profit they can reap. A priori, larger hotel chains should have a more advanced security posture that minimizes the success of a phishing campaign and malware deployment on a corporate computer. On the other hand, they also have more customers and bookings, which means the number of victims is higher.

Continuous analysis of the behavior of cybercriminals in all sectors has allowed us to observe that they always go for the weakest victims. Why? We go back to the cost/benefit ratio. Suppose attacking a particular hotel chain is more accessible than attacking a similar one, and the potential benefits are practically identical. In that case, criminals will target the company with the weakest security position.

2. Phishing techniques to attack hotels and travel agencies

Phishing is one of the main techniques used to compromise companies and their customers in the digital age. In their day-to-day work, Tarlogic Security professionals find that in most cyberattacks, regardless of the economic sector, the entry vector to companies is a social engineering component, which is essential for successful attacks. After all, the human factor remains the weakest link in the security strategy of companies.

As far as fraud in the travel industry is concerned, the launch of phishing campaigns against the people who manage hotel and agency bookings is the starting point for attacks.

First, criminals carry out intelligence work to find out which professionals are in charge of reservations at the company they wish to attack. They then design and execute phishing campaigns to trick them by sending emails to their email account to get them to download a malware-infected file or click on a malicious URL.

For example, in some cases, criminals pose as legitimate customers and use excuses such as special requests or specific health problems to send professionals essential documents via a URL.

3. Deploying infostealers to obtain login credentials to online booking platforms.

What happens when criminals get the booking professional to click on the URL to download a malicious file? When this is executed, an infostealer is deployed. In other words, a type of malware that collects credentials stored, for example, in a browser. These credentials include, of course, users and passwords used to access travel booking platforms.

Using info stealers, whose activity goes completely unnoticed by the professional working with the targeted computer, allows criminals to access the booking list and impersonate the business within the travel booking platforms without the need to control the computer.

3.1. Breaking into booking platforms without finding a vulnerability

Why don’t criminals launch their attacks directly against travel booking platforms? These companies have a much more advanced security posture. This means that discovering a genuine vulnerability in them to exploit it is much more complicated than setting up frauds in the travel industry, impacting hotel companies first and foremost.

As we pointed out earlier, the cost/benefit ratio is essential for criminals when plotting their strategies. Directly attacking the systems of global operators such as Booking can be much more complex and, therefore, costly than managing to compromise such platforms by accessing them through valid credentials.

3.2. Attacking non-corporate devices

The spread of teleworking and the possibility of performing any professional action from personal devices has expanded the attack surface for all companies, not just businesses linked to tourism.

Companies often protect corporate devices, such as the computers used by the professionals who manage reservations. However, using personal devices for professional or business purposes complicates the situation and dilutes the security perimeter of companies. Why? It is possible, for example, for the booking professional to synchronize his Google account on both his work computer and his cell phone. In such a way that if the latter is infected with an info stealer, the credentials for accessing the booking platforms can be accessed.

Over the past few years, Tarlogic’s cyber intelligence and Threat Hunting professionals have detected many companies compromised through their employees’ devices.

It is, therefore, essential to regulate the use of non-corporate equipment and to establish good cybersecurity practices to prevent fraud in the tourism sector in particular and the business world in general.

3.3. Friendly fire or when phishing and malware are not necessary

Although in this article we are focusing on fraud in the tourism sector designed and implemented by external actors, we must not lose sight of the fact that this type of criminal activity can be carried out by internal actors within companies. In other words, professionals or former employees with a profit motive or wish to take revenge on their company.

Suppose a member of a hotel staff or a professional who is no longer part of it, with the motivation to harm, can access the customer list or have the access credentials of the platforms. In that case, it is unnecessary to resort to the combined use of a phishing campaign and the deployment of malware to steal this critical information.

4. Phishing to defraud travelers

Once the actors have access credentials to the booking platforms, they can move on to the next stage of these travel frauds: impersonating hotels, travel agencies and even platforms.

The criminals access the platforms and consult all the information on the reservations made through them (customer name, email address, reservation dates, products contracted, amount…). With this material, they can design a new social engineering campaign, but this time, the victims are not the hotels or travel agencies but their customers.

Furthermore, we must bear in mind that, by accessing booking platforms, hostile actors can not only steal valuable information but also use the platforms to communicate directly with customers.

In many of the frauds in the travel industry that have employed this methodology, the criminals not only contacted travelers via email but also interacted with them from the applications themselves, posing as the targeted hotel, which lends a patina of honesty to the scam.

4.1. Alerts and discounts

The modus operandi of the criminals combines intelligent exploitation of the human psyche with technical expertise to lend credibility to the fraudulent messages:

• Sense of haste. These frauds in the tourism sector are successful because social engineering campaigns urge victims to decide in the short term whether it is to take advantage of an offer, a discount, or to solve a problem.
• Appropriate language. If a person receives an email or message through a platform that is poorly written, they may have doubts about its veracity. Criminals have also become more sophisticated when writing fraudulent messages, taking care of the language to deceive their victims.
• Appearance of officialdom. In scams targeting users who had made reservations through Booking, the criminals have sent the victims emails with an aesthetic appearance identical to the truthful communications carried out through the operator’s platform.

The two most common arguments used by criminals to successfully carry out this kind of fraud in the tourism sector are:

• Cash discount. Hostile actors take advantage of booking information to offer hotel customers the possibility of benefiting from a deal if they pay in advance. This is possible due to the very dynamics of this kind of platform, where, in most cases, payment is made at the accommodation when checking in.
• Verify the payment method. Criminals, impersonating the identity of the hotels and the platforms, inform the client that there has been a problem with the bank card that the client included in the reservation. To avoid cancellation of the reservation, the customer must provide the payment method again.

5. Creation of fake payment pages

In the cases mentioned so far, the fraudulent messages sent via email, SMS or the booking platform include a URL that leads to a page for the victim to enter their credit card details, either to make the payment on the spot or to verify the payment method.

Of course, these pages are also fake, although they pretend to be legitimate booking platform pages with a very high level of detail. This makes it difficult for the victim to detect the deception in the last step of these frauds in the tourism sector: the making of fraudulent charges that are charged to the victims’ accounts.

In this way, the scam is completed without the victim being aware of the deception at the time and, above all, without the hotel and the booking platform being aware that their identity has been impersonated to carry out the fraud.

6. Reputational damage caused by fraud in the tourism sector

Beyond the apparent economic damage to travelers, fraud in the tourism sector harms the reputation of the companies attacked. Not only is the relationship between the defrauded customers and the hotel chains or travel agencies decisively damaged, but the reputational damage spreads to all potential customers. After all, if a person knows that a specific hotel has suffered a security incident, he will be less inclined to make a reservation there.

Although booking platforms such as the multinational Booking are not direct victims of these attacks, their central position in online booking makes them critical players in fraud in the tourism sector.

As we have seen throughout this article, criminals use these platforms to collect booking information, communicate with customers and impersonate them by emulating their email communications and even imitating their payment page.

As a result, the reputational effects of fraud in the tourism sector impact them. People defrauded after making a reservation on a platform of this type irremediably associate the operator with the incident.

7. Why are frauds in the tourism sector so important?

85 million people. According to forecasts, when the chimes ring and we are eating our grapes on December 31, Spain will end 2023, having received 85 million visitors. In addition, last year, tourism generated almost 160,000 million euros and accounted for 12.2% of Spain’s GDP. These excessive figures demonstrate the importance of tourism in a country that offers visitors from all over the world an offer that combines beach, mountains, history and heritage.

But the tourism sector is essential not only in Spain but also in some of the world’s most powerful economies, such as the United States, France, Japan and Italy.

Improvements in mobility over the last few decades have made travel cheaper and faster. This has resulted in an exponential increase in domestic and international tourism.

We must add the impact of the digitalization of society and the economy. Today, a person can buy a plane ticket in a matter of seconds from their smartphone and book a hotel room on the other side of the world without contacting them.

If there is one thing we can highlight about cybercriminals, it is their excellent sense of smell. Not only do they smell blood to detect vulnerable targets, but they also smell money. The numbers in the tourism sector make it a desirable target for attacks.

This is why companies linked to tourism must take cyber threats very seriously, fortify their security perimeter, and make their professionals aware of the dangers associated with social engineering. Their reputation and their business model are at stake.

8. How to strengthen the security and resilience of travel companies

Tarlogic Security’s Cyber Intelligence and Threat Hunting teams have a long experience in investigating and fighting fraud in the tourism sector. Thanks to all the knowledge accumulated over time and the permanent analysis of the techniques, tactics and procedures used by malicious actors, the company’s professionals offer companies in the sector a catalog of services that includes, among others:

• Proactively analyze the threat environment to warn of risks or modifications before they materialize.
• Identification of information or vulnerabilities that can be exploited for these purposes.
• Design of preventive mitigation measures, preventing attacks from materializing.
• Investigation of online fraud and hacking.
• Design and implementation of honey pot environments to know the magnitude or typology of actors that may be behind a fraud event.
• Monitoring and prevention of the illicit use of brands.
• Simulation of fraud campaigns for training purposes.

8.1. Business strategy and security

Today, a person living in Madrid can book a hotel room in Tokyo, take a plane, and, in a handful of hours, check in to the Japanese capital. Globalization, improved mobility and digitalization have enabled us to travel like never before.

This means endless opportunities for personal enrichment for travelers and business opportunities for companies in the travel industry. Unfortunately, however, it also means that criminals see the travel industry as a very attractive niche criminal business, where it is possible to make a lot of money by attacking hotels and agencies, impersonating platforms and defrauding thousands of visitors.

Fraud in the tourism sector is becoming increasingly numerous and sophisticated. Large online booking platforms, travel agencies, hotel chains and other tour operators must place cybersecurity at the heart of their strategy. Otherwise, they risk losing customers, seeing their credibility damaged and suffering a significant drop in revenue that threatens the viability of their business models.