Attention Travelers! Beware of Booking.com Themed Phishing Attacks


Phishing attacks are a type of social engineering scam where attackers trick victims into revealing sensitive information. 

In phishing attacks, the attackers often impersonate trusted entities like banks or companies in emails, texts, or calls to trick victims into clicking malicious links or attachments.

EHA

Cybersecurity researchers at OSINTMATTER recently warned travelers of Booking[.]com themed phishing attacks.

A sophisticated phishing attack targets “Booking[.]com” by compromising hotel managers’ accounts to scam customers. 

Here, the threat actor uses a fake domain (extraknet-booking[.]com) that mimics the legitimate “extranet-booking.com.” 

Fake page (Source - OSINTMATTER)
Fake page (Source – OSINTMATTER)

They employ JavaScript obfuscation using parseInt to encode strings that include the “Cyrillic text” (“загружено” or “loaded”), possibly indicating Russian-speaking origins. 

Researchers warned that the attack utilizes SEO poisoning to boost malicious site rankings in search results.

Notably, the “238 STUN” (Session Traversal Utilities for NAT) binding requests were identified using non-standard high ports for potential data exfiltration or maintaining communication with compromised systems. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

This attack has been associated with the Ninja Trojan as it belongs to one of the complex malware that can evade detection by loading into memory. Among them, there are dozens of sites associated with the scripts of the phishing site. 

This technique uses “UDP hole punching,” which allows for the penetration of NAT firewalls and helps to compromise the target’s internal networks. 

This sophisticated approach combines several technical elements to create a highly effective and evolving threat.

The sophisticated phishing attack on Booking[.]com employed advanced techniques to evade detection and maximize impact. 

Cloaked URL (Source - OSINTMATTER)
Cloaked URL (Source – OSINTMATTER)

At its core, the attack utilized dynamic cloaking which allowed the attackers to display either a malicious fake portal, the genuine Booking[.]com page, or error pages, depending on factors like IP address and browser settings. 

The attack infrastructure included a fake domain (extraknet-booking[.]com) and employed JavaScript obfuscation to hide malicious code. STUN binding requests and UDP hole punching were used to maintain persistent access. 

A critical component was an iFrame linked to hundreds of other phishing pages which acted as a centralized hub for distributing malicious content.

This iFrame, pointing to httxxx://ls.cdn-gw-dv[.]vip/+dedge/zd/zd-service[.]html, allowed for centralized control, wide reach, and tracking of attack effectiveness. 

The phishing pages exhibited varied behaviors during testing like timeouts and 404 errors that were achieved through RST injection. 

Here the sophistication of the attack suggests a connection to the “Ninja” Trojan malware. 

The primary goal appeared to be infecting hotel managers’ devices, likely as a precursor to exploiting Booking[.]com’s chat system for distributing malicious links to customers in a subsequent phase of the attack.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial



Source link