Cybercriminals will take advantage of any situation that separates people from their money. And what better way than to purport to be a reputable hotel and take reservations?
The recent example in Turkey covered below demonstrates how far cybercriminals are willing to go to setup their scam.
In this newest scam, fake hotel websites are setup (in some cases even copying a hotels entire website!) using as many as 50 domain names similar to the hotel’s brand name. These scammers are so good at what they do, in many cases, their fake websites ranked higher in natural search listings than the real hotel’s website.
Travelers book and pay for their travel, and only find out when they show up at the hotel, who has no idea about the traveler, let alone a reservation.
To make matters worse, in one case, when the scammers were contacted by one of the hotels, a “ransom” of $100K in bitcoin was demanded in order to take down the 50 fake websites.
This example of scamming mirrors the steps being taken with phishing attacks; the hotel scammers took tremendous steps to create realistic looking websites to establish them as the real hotel. The most successful phishing scams are enjoyed by cybercriminal organization that put a material amount of effort towards email content, selecting the email recipients, and timing the email – all in an effort to establish credibility so the recipient opens the malicious attachment or link without reservation.
The hotel scam also mirrors phishing scams focused on harvesting online credentials for services such as Office 365, which hinges on how realistic the domain name and website look.
The cybercriminals are getting better at their craft. Your greatest defense is elevating your user’s understanding about possible threats and attacks, as well as their attentiveness to specific details when surfing the web and interacting with email. Security Awareness Training is the key to achieving a more security-minded employee that won’t fall for these kinds of scams.