Exploiting wanderlust: Social engineering attacks through a popular online travel platform.
Written by Annie-Mei Forster, Senior Consultant, oobe, 2024
At AISA’s annual CyberCon in Canberra, my friend Sekar Langit and I presented a talk on social engineering attacks on a popular online travel platform. A friend of mine was scammed last year after booking a hotel, so this was the basis of our talk.
The website allows property staff and guests message each other directly after a reservation is made. A month after my friend made a hotel reservation, she received a message which she thought was from the hotel as it was in the same chat. The message stated that there was an error during the booking process and that she would be required to enter her card details again through the provided link. The message also said that if she did not re-enter her details within 24 hours that her booking would be automatically cancelled.
So she followed the link and entered her banking information. On the following page it said that she would receive a six-digit code from her bank to verify the transaction. When she didn’t receive the verification code she suspected something was wrong and immediately called her bank to cancel her card.
It’s important to note that the online travel platform itself hasn’t been compromised, but rather the accounts of the properties.
There are two parts to this attack: the social engineering attack on the property provider to steal their platform credentials and the social engineering attack on the customer to steal their credit card information.
We discussed the steps involved in stealing the property’s admin account credentials which are outlined below:
Social engineering has always fascinated me because of the way cybercriminals manipulate people into performing an action or divulging information. There have been many studies into the psychology behind social engineering. Bad actors use the six Principles of Influence which were outlined by Rober Cialdini in 1984. The six principles are: reciprocity, commitment, social proof, authority, liking and scarcity.
After discussing this scam both at the conference and outside of it, it’s clear to me that a lot of people have their own story to share about this travel platform or similar scams.
One person told me that their family had a property that was listed on the platform, and someone had created a fake version of their property and listed it on the website. They had to get the platform to remove the fake property page. Another person shared their experience of booking a dodgy looking place when they were coming to Canberra.
Scams are nothing new. In fact, the earliest instance of financial fraud dates back to 300 BC. What has changed is the speed and scale that scammers can launch attacks which can reach millions of people through emails and text messages.
I think the most important thing we can all do is share our experiences. There’s no shame in getting scammed and most people have at some point in their life, whether that’s online or not. Having an open dialogue about scams is one of the best defences against them, as it empowers us with the information and confidence needed to protect ourselves and others.
Written by Annie-Mei Forster