BIGFISH TECHNOLOGY LIMITED
20 September 2024

Attention, Travelers! Beware of Booking.com-themed phishing attacks.

Phishing attacks are social engineering scams in which attackers deceive victims into disclosing sensitive information.

In phishing assaults, attackers frequently mimic trusted agencies such as banks or businesses in emails, messages, or phone calls to fool victims into clicking harmful links or attachments.

OSINTMATTER's cybersecurity researchers recently advised tourists about Booking[.]com-themed phishing attacks.

 

Booking.com Themed Phishing Attacks

A sophisticated phishing attempt targets "Booking[.]com" by gaining access to hotel managers' accounts in order to swindle customers.

The threat actor utilizes a phony domain (extraknet-booking[.]com) to impersonate the authentic "extranet-booking.com."

They use JavaScript obfuscation with parseInt to encode strings with "Cyrillic text" ("загруженo" or "loaded"), which might indicate Russian origins.

Researchers have cautioned that the assault uses SEO poisoning to improve malicious site rankings in search results.

Notably, the "238 STUN" (Session Traversal Utilities for NAT) binding requests were found to use non-standard high ports for data exfiltration or communication with compromised systems.

This assault has been linked to the Ninja Trojan, which is a type of complicated malware that can elude detection by loading into memory. Among them are dozens of sites that use the phishing site's scripts.

This approach employs "UDP hole punching," which allows for the exploitation of NAT firewalls and contributes to the vulnerability of the target's internal networks.

This advanced strategy combines a number of technical factors to produce a highly effective and dynamic threat.

The sophisticated phishing assault on Booking[.]com used innovative strategies to avoid discovery while maximizing harm.

At its core, the assault used dynamic cloaking, allowing the attackers to display a malicious fake portal, the legitimate Booking[.]com website, or error pages based on criteria such as IP address and browser settings.

The attack infrastructure used a phony domain (extraknet-booking[.]com) and JavaScript obfuscation to conceal malicious code. STUN binding requests and UDP hole punching were utilized to ensure persistent access.

An iFrame linked to hundreds of other phishing pages served as a central distribution point for harmful information.

This iFrame, which pointed to httxxx://ls.cdn-gw-dv[.]vip/+dedge/zd/zd-service[.]html, enabled centralized control, broad reach, and tracking of assault efficacy.

During testing, the phishing pages exhibited a variety of behaviors, including timeouts and 404 errors caused by RST injections.

The intricacy of the attack indicates a link to the "Ninja" Trojan virus.

The primary goal appeared to be infecting hotel managers' devices, most likely as a prelude to using Booking[.]com's chat system to distribute malicious links to consumers in a later phase of the operation.

 

Source: Cyber Security News