logo-unlock-security

How the guests of a hotel were scammed

How the guests of a hotel were scammed

Recently, Unlock Security was hired to look into repeated fraud attempts against the guests of a hotel.

After booking their stay on booking.com, the guests were contacted via WhatsApp with written and voice messages from someone that, claiming payment issues, requested a wire transfer to a different IBAN than the hotel's. To make the payment request sound plausible, the scammer provided a PDF containing all the actual reservation details.

At first, we assumed that these details had come from data breaches involving the login credentials, infostealers installed on the back-office workstation, e-mail forwarding rules, webhooks on the booking systems, etc...

However, something felt wrong — apparently, the back-office workstation had been formatted; the hotel hadn’t been subject to any phishing attempts; all the passwords had been changed, and the 2FA had been activated; also, several technicians had been involved to investigate the matter. All seemed fine, but still at every reservation the guests were contacted and swindled with compelling documents that contained all the data entered in the booking they had just made.

Analyzing the incident

First, two oddities

Our investigation starts from a small chat with the director and some employees. The strangest was yet to come.

At 3 A.M. of December 23rd, the night concierge noticed a light coming from the room that hosts the back office. He got closer and saw the mouse move by itself and work on the computer. In real hackerish style, he decided that the best thing he could do was shutting down the whole thing and turning off the computer, before reporting the incident to the director the next morning.

The day after, someone called the reception, introducing themselves as a support technician from the hotel PMS and asking to confirm the availability of some rooms. That’s right. Not asking for any credentials, or to run some sort of operation on the PMS or the workstation. Just to confirm the room availability status.

Analyzing the document sent to the guests

Thanks to some guests that got suspicious and reported the fraud attempt to the hotel, we get some samples of the document sent to stage the scam.

Page caching workflow upon read/write request

The reservation details reported on all the documents are correct: name, surname, the quantity and type of rooms that have been booked and in which dates, the price set by the hotel, the number of guests, the credit card used and, in case of special requests, even the notes added by the guest.

The document looks authentic, with no doubt. But if all the PMS credentials have been changed, how can the scammer possibly have access to this information or to the feature that generates such document?

The answer lies in the link at the bottom of the document:

https://channelmanager.evols.it/channel/PrintReservation?creditcard=1&idpreno={ID_PRENOTAZIONE}

The Figaro PMS

The URL points to an old Property Management System called “Figaro” from Readytec s.p.a., used by the hotel before migrating to the new system “Hotel in Cloud” from TeamSystem s.p.a.

Figaro management platform

Doing some research, we find out that the company that developed Figaro has partnered with Team System, which suggests that the old PMS could be undergoing a migration to the new PMS. For this reason, moreover, we can reasonably assume that the old PMS has been hooked to the same database used by “Hotel in Cloud”. This means that both the PM systems can operate on the same reservation data.

Most likely, having access to such portal would grant the possibility to obtain the guests’ reservation details, so to generate the document used in the fraud.

The login credentials owned by the hotel aren't valid anymore. We then assume that the scammer could access the system and changed the credentials to keep logging in and prevent the hotel personnel from accessing any further. Since the “Figaro” PMS has not been used for about one year, nobody noticed that the credentials had been changed.

Analyzing the back-office workstation

Now we have clearly found the access point to the reservation details. But how did the scammer gain access to Figaro?

Our first hypothesis — a data breach involving the hotel — leads to no results. Therefore, we keep researching all the possible ways to access the booking management systems from the back-office workstation.

We soon notice the presence of credentials saved in browser, for dozens of services including Figaro.

Considering the episode of the night access to the workstation and the presence of credentials saved in browser, our analysis now focuses on the research of access evidence and data exfiltration, and... in the mail bin, we find an e-mail sent to a private Gmail address without subject or body text, containing just an attachment: credenziali.csv (i.e. credentials.csv).

Credential exfiltration via e-mail

Checking the file contents, it is clearly an exportation of the credentials saved in browser. Moreover, the e-mail was sent at 03:25 AM on the same day when the concierge reported the night access.

Analyzing further

Checking the e-mail address used by the attacker to exfiltrate the credentials, Google provides a match with the website of another hotel in the same area.

Opening the hotel website, the e-mail address is not there anymore. Checking the cached copy from Google, however, we can see the previous version of the website, and the landing page clearly reports the e-mail address used for carrying out the attack.

After excluding the possibility of unfair competition, we decide to go ahead with our analysis. We eventually find out that the hotel website was made through the service of a company — service for which the employees' credentials are online, in plain text.

We can them assume that scammers could have used these credentials to access the control panel of the hotel website, insert their e-mail and lead the guests to contact them instead of the hotel.

Reconstructing the attack

Based on the collected evidence, we can outline the following hypotheses on how the attack and related scam against the hotel guests were carried out:

  1. The hotel requested remote technical support for the back-office workstation, performed via TeamViewer.
  2. The technician, during the remote operation and without any authorization from the hotel, configured TeamViewer to allow remote accessing without confirmation.
  3. The scammer then made an unauthorized remote access on the night of December 23rd, 2022.
  4. The remote access resulted in obtaining several credentials, including those for logging in the “Figaro” PMS, that were saved in browser and exfiltrated via e-mail.
  5. The scammer accessed the “Figaro” PMS and changed the login credentials.
  6. The scammer called the hotel to get confirmation of the details found on the system being correct and up-to-date, compared to those in the “Hotel in Cloud” PMS.
  7. The scammer started to receive the guest bookings and to use their data to contact them on WhatsApp, on the phone number provided with their reservation.

Conclusions

After just 12 hours of investigation on the hotel workstations, we were able to identify the origin of the issue and find an effective and fast remediation to solve a problem that had been tormenting the hotel and its guests for about 2 months.

Both the technical support teams of Team System and Figaro were informed of the results of the analysis led by Unlock Security, and promptly applied the suggested remediation procedures by disabling the account on the Figaro PMS.

Disabled user on the Figaro PMS

The hotel was informed of the law obligations deriving from the GDPR (Articles 33 and 34) in case of unauthorized access to computer or information systems (Article 615 ter of the Italian Penal Code).

Finally, after this incident, the hotel has correctly secured all the workstations, and trained the personnel to minimize any future risks.

Francesco Marano
Francesco Marano
Founder | Cyber Security Consultant
www.unlock-security.it

I'm an offensive cyber security expert with several years of experience as penetration tester and team leader.I love making software do things other than what they were designed to do!I do security research to find new bugs and new ways to get access to IT assets. I'm a speaker at events talking about my research to share my findings and improve the awareness about cyber security issues.

Related Posts