Skip to content

Hackers Are Checking-In to Hotel Systems

Businessman making booking at front desk with Latin receptionists in hotel lobby

The hotel industry is being targeted by hackers who are calling hotels and taking advantage of their reputation for excellent customer service.

But if you think this story is just about the hotel industry, think again. It’s simply another twist on a scam from the hackers’ playbook…and it can affect businesses and individuals alike.

Armed with a believable story, a friendly voice and request for help, a group of bold hackers—masquerading as prospective hotel guests with reservation problems—are talking and luring representatives at hotel reservation-desks right into a trap.

Without hesitation and without reservation, the hackers are stealing hotels customer data. And hotels are unwittingly walking into the scam with both eyes open.

Checking in and checking things out.

The hotel scam isn’t an overly elaborate sting operation; it takes just one con artist, one victim and one email carrying dangerous malware (sent by the pretend hotel guest) to sway and dupe the hotel, booking representative.

But it has been working so well that security experts are warning businesses of all kinds to be aware of this latest brand of scam from a well-known hacker group known in cyber security circles.

The hotel scam has a unique process to it: it starts with a phone call from the hacker and ends with malware stealing customer credit card information and more.

The phone call

A well-spoken hacker with excellent English calls the hotel customer service phone number to discuss a problem confirming a reservation. (The language reference is significant because the hackers are often not in the United States.)

The caller asks for help. They say they’re not able to access the online reservation system to book a room for an upcoming stay. They’ve tried and tried, they explain, and finally decided to call for help.

You can imagine the response from the service rep: “Of course. I’d be glad to assist you.”

The email

The con-man offers to provide some information that might help: Details of their customer account and reservation number. They say they can send it to the Agent in an email. All they need is an email address to send it to.

“I can get that for you,” the helpful Representative offers.

The hackers are very persistent, according to a security expert familiar with the hack. “They’ll stay on the line with the customer service rep until they open up the attachment,” he said.

The malware launch

With address in hand, the hacker sends their email to the customer service agent, and it includes the attached document that contains the supposed reservation information.

Unfortunately, it contains something else: malware, which is the hacker’s malicious software program that, once activated, will find its way to sensitive information. The malware is loosed on the system when the hotel rep opens the document online and clicks on link that carries the payload.

The devastating attack

Once the malware is installed, it can download other malicious tools to tamper with the rest of a business’s network. The goal of the attack is to record credit card numbers from point-of-sale machines or e-commerce payment processes, investigators say. The hack has been used against restaurant chains as well.

The malware being launched is sophisticated and meant to do a specific task and do it thoroughly—to invade systems and networks, take screenshots from the desktop, to find and obtain passwords and email addresses, and to scan the network to gauge its vulnerability. Once in place, the malware is able capture every credit card transaction that passes through the network and steal the data it wants. For a large-size restaurant chain, for example, that could affect as many as one million customers over time.

The imposters

The hotel hack is believed to be the work of the same online gang of thieves who last year, evidently lifted as much as $1 billion from a handful of banks. This time around they focused on stealing consumer credit card data and information. They left their digital “fingerprints” by using similarly coded malware that was used in previous attacks on other companies, according to an incident-response director for a large security firm.

The hackers are smooth, convincing and even friendly. They also seem to be using LinkedIn, the online business connection network, to dig up information on targeted companies and to learn the name of hotel-chain managers, which they’ll drop into conversation. Those details add to the credibility of the call, and maybe even cause the hotel employ to worry that a supervisor might receive a customer complaint.

Lesson, relearned.

The hotel scam is another twist on “phishing” in which thieves use a convincing story and create an opportunity to hook a victim. In the hotel scam case, there was no need for the hotel staff to open the attachment. The customer could have simply read any reservation numbers to the hotel representative. The advice for those in business is the same as it is for all of us: If someone you don’t know sends an email with an attachment, DO NOT OPEN IT.

Related Articles

Related Articles

  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking
  • Online Privacy
  • Online Safety
Image of a man standing next to a huge brain

Here’s How to Choose a VPN: Don’t Overthink It and It’ll Be Fine

We're not all IT (internet technology) types, but don't tell that to VPN review sites! They make...

[Read More]

Email Scams 101: How To De-Code Sketchy Emails

Why are they dangerous? Because most, if not all, of our accounts, are tied to our email….

[Read More]
Scammers are Everywhere! Who You Gonna Call?

SCAM PREVENTION: Call a Good Friend BEFORE You Get Scammed!

Make someone in the family the point-person to stop a scam in progress. Scam prevention tactics are…

[Read More]

How a Scam Works: It’s All in the Formula and You’re an Ingredient.

A scam works (for the con artist) when all the elements come together just right.

[Read More]
Scam Savy

Avoid a Scam and Stay Safe With these 8 Simple Tricks

Scammers have a bag of tricks to try to separate you from your money. However, you can...

[Read More]
Cyber Crime

The Top Scams Aren’t Going Away Anytime Soon

Some aren't only victims of scams, there also victims of circumstance. They may lose their job and...

[Read More]