Cybercriminals Leverage Hijacked accounts for Phishing

I recently heard about a wave of scams exploiting users. So I went and researched it for myself. I came across a post on the r/travel subreddit about such an incident. [1]

The user received a seemingly authentic message with a URL via's app. They provided their credit card information and said that “within mere minutes of this, an attempt was made to use [their] credit card for an online purchase.”

As others pointed out on Reddit, the most likely scenario here is that the hotel's account with has been compromised, or the hotel's own email account was compromised.

I then looked up the phishing site sent via the in-app messaging system in VirusTotal to find the IP address and checked that in URLscan. As I imagined, the offending IP address had a bunch of other phishing domains that resolved to it. This revealed a widespread campaign. [2, 3]

Further research on this topic led me to a recent Secureworks blog about threat actors taking it to the next level by stealing hotel admin credentials using a well-known Infostealer malware called Vidar. My colleague Tas also recently wrote a blog for Curated Intel on this topic as well. Other open-source blogs have also covered these campaigns in-depth. [4, 5, 6]

Unfortunately, this seems like a highly successful online scam. It is leveraging an in-app communications channels and taking advantage of poor security practices by small businesses to exploit the business-to-customer (B2C) relationship. And unfortunately if does not address this issue directly, customers may avoid them for safer experiences.

Indicators of Compromise (IOCs):



Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks