Secureworks – CyberSecurity Confabulation

A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. We’ll also explore an array of cybercrime services aimed at phishers who target hotels that rely on the world’s most visited travel website.

According to the market share website statista.com, booking.com is by far the Internet’s busiest travel service, with nearly 550 million visits in September. KrebsOnSecurity last week heard from a reader whose close friend received a targeted phishing message via SMS within minutes of making a reservation at a California hotel via booking.com.

The missive bore the name of the hotel and referenced details from their reservation, claiming that booking.com’s anti-fraud system required additional information about the customer before the reservation could be finalized.

The phishing SMS our reader’s friend received after making a reservation at booking.com in late October.

In an email to KrebsOnSecurity, booking.com confirmed one of its partners had suffered a security incident that allowed unauthorized access to customer booking information.

“Our security teams are currently investigating the incident you mentioned and can confirm that it was indeed a phishing attack targeting one of our accommodation partners, which unfortunately is not a new situation and quite common across industries,” booking.com replied. “Importantly, we want to clarify that there has been no compromise of Booking.com’s internal systems.”

The phony booking.com website generated by visiting the link in the text message.

Booking.com said it now requires 2FA, which forces partners to provide a one-time passcode from a mobile authentication app (Pulse) in addition to a username and password.

“2FA is required and enforced, including for partners to access payment details from customers securely,” a booking.com spokesperson wrote. “That’s why the cybercriminals follow-up with messages to try and get customers to make payments outside of our platform.”

“That said, the phishing attacks stem from partners’ machines being compromised with malware, which has enabled them to also gain access to the partners’ accounts and to send the messages that your reader has flagged,” they continued.

It’s unclear, however, if the company’s 2FA requirement is enforced for all or just newer partners. Booking.com did not respond to questions about that, and its current account security advice urges customers to enable 2FA.

A scan of social media networks showed this is not an uncommon scam.

In November 2023, the security firm SecureWorks detailed how scammers targeted booking.com hospitality partners with data-stealing malware. SecureWorks said these attacks had been going on since at least March 2023.

“The hotel did not enable multi-factor authentication (MFA) on its Booking.com access, so logging into the account with the stolen credentials was easy,” SecureWorks said of the booking.com partner it investigated.

In June 2024, booking.com told the BBC that phishing attacks targeting travelers had increased 900 percent, and that thieves taking advantage of new artificial intelligence (AI) tools were the primary driver of this trend.

Booking.com told the BCC the company had started using AI to fight AI-based phishing attacks. Booking.com’s statement said their investments in that arena “blocked 85 million fraudulent reservations over more than 1.5 million phishing attempts in 2023.”

The domain name in the phony booking.com website sent via SMS to our reader’s friend — guestssecureverification[.]com — was registered to the email address ilotirabec207@gmail.com. According to DomainTools.com, this email address was used to register more than 700 other phishing domains in the past month alone.

Many of the 700+ domains appear to target hospitality companies, including platforms like booking.com and Airbnb. Others seem crafted to phish users of Shopify, Steam, and a variety of financial platforms. A full, defanged list of domains is available here.

A cursory review of recent posts across dozens of cybercrime forums monitored by the security firm Intel 471 shows there is a great demand for compromised booking.com accounts belonging to hotels and other partners.

One post last month on the Russian-language hacking forum BHF offered up to $5,000 for each hotel account. This seller claims to help people monetize hacked booking.com partners, apparently by using the stolen credentials to set up fraudulent listings.

A service advertised on the English-language crime community BreachForums in October courts phishers who may need help with certain aspects of their phishing campaigns targeting booking.com partners. Those include more than two million hotel email addresses, and services designed to help phishers organize large volumes of phished records. Customers can interact with the service via an automated Telegram bot.

Some cybercriminals appear to have used compromised booking.com accounts to power their own travel agencies catering to fellow scammers, with up to 50 percent discounts on hotel reservations through booking.com. Others are selling ready-to-use “config” files designed to make it simple to conduct automated login attempts against booking.com administrator accounts.

SecureWorks found the phishers targeting booking.com partner hotels used malware to steal credentials. But today’s thieves can just as easily just visit crime bazaars online and purchase stolen credentials to cloud services that do not enforce 2FA for all accounts.

That is exactly what transpired over the past year with many customers of the cloud data storage giant Snowflake. In late 2023, cybercriminals figured out that while tons of companies had stashed enormous amounts of customer data at Snowflake, many of those customer accounts were not protected by 2FA.

Snowflake responded by making 2FA mandatory for all new customers. But that change came only after thieves used stolen credentials to siphon data from 160 companies — including AT&T, Lending Tree and TicketMaster.

In a significant development within the cybersecurity sector, two major players, Sophos and Secureworks, are poised to enter into a pivotal agreement. Sophos, a leading cybersecurity firm, plans to acquire Secureworks for an impressive transaction value of $859 million. This acquisition is being facilitated through investment funding arranged by Thoma Bravo, the parent company of Sophos. Under the terms of the deal, each shareholder of Secureworks will receive $8.39 per share, all in cash. Notably, this includes a substantial number of shares held by customers of Dell Technologies, which has been a significant stakeholder in Secureworks.

On October 20, 2024, additional details about the acquisition were disclosed through a Form 8-K filed by Secureworks with the U.S. Securities and Exchange Commission. The completion of the deal is anticipated early next year, marking a significant step in the ongoing consolidation within the cybersecurity industry.

The strategic integration of Secureworks’ technology into Sophos’ offerings is expected to enhance its portfolio of security products, particularly aimed at serving enterprise customers. This merger not only aims to strengthen Sophos’ technological capabilities but also to expand its market presence on a global scale, positioning the company to better compete in an increasingly competitive cybersecurity landscape.

Interestingly, this acquisition has garnered considerable attention on social media platforms, particularly Reddit, where speculation arose regarding the validity of the deal. Some users suggested that the news may have been a form of disinformation orchestrated by a competing security firm from the Middle East, which has been facing stiff competition from American firms. However, the narrative was clarified when a British firm confirmed the acquisition news in the last week of September 2024, revealing that Dell, the majority stakeholder of Secureworks, was indeed planning to divest a substantial portion of its shares.

Looking back at the history of Secureworks, it’s important to note that Dell Technologies initially acquired the company in 2011 and subsequently took it public in 2016. Over the years, Secureworks has made several attempts to sell a major stake, notably in 2019, but these efforts were thwarted by various challenges, including the global business downturn caused by the COVID-19 pandemic.

For those unfamiliar with Secureworks’ recent achievements, the company has been at the forefront of cybersecurity intelligence. Notably, it uncovered a sophisticated espionage operation in which a North Korean hacking group trained an individual to infiltrate a multinational corporation based in the West. This operation aimed to extract sensitive information from the targeted business, highlighting the critical role that Secureworks plays in identifying and mitigating cybersecurity threats on a global scale.

In conclusion, the impending acquisition of Secureworks by Sophos represents a notable shift in the cybersecurity landscape, with the potential to reshape market dynamics and enhance technological capabilities in the face of evolving threats.

The post Sophos to acquire Secureworks appeared first on Cybersecurity Insiders.