Threat Research

Protect Yourself from Summer Vacation Scams: Stay Cyber Aware During Your Vacation – Check Point Blog

Securonix

Check Point Research warns of rising summer vacation phishing scams driven by deceptive domains and travel-brand impersonations aimed at stealing credentials. The piece lists real-world domain examples, a Booking-related phishing email, and practical tips to stay cyber-aware while traveling. #CheckPointResearch #booking-secure928 #hotel-housekeeper #agodabooking #mainhotel5may #BookingDotCom #AgentTesla

Keypoints

  • Check Point Research warns about online phishing scams tied to summer vacations targeting travelers.
  • In May 2024, 1 in every 33 new summer vacation-related domains registered was malicious or suspicious.
  • Examples of malicious domains impersonating travel brands include booking-secure928[.]com, hotel-housekeeper[.]com, and agodabooking[.]top.
  • A phishing campaign used an email with the subject “Booking.com Invoice 3255753442” from noreply@b00king[.]biz containing a PDF attachment to lure victims.
  • The attack redirects to a seemingly legitimate Booking.com page but loads two malicious JavaScript files and contacts other malicious sites, enabling malware delivery (AgentTesla).
  • Impactful advice includes verifying HTTPS, avoiding suspicious URLs, and contacting companies via official channels rather than links in emails.
  • Users should stay informed via reputable security blogs, keep security software updated, and regularly scan devices for threats.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The article describes a phishing email that includes a PDF attachment named “Invoice-3255753442.pdf” and a subject “Booking.com Invoice 3255753442” that leads to malware delivery. “The email contained a PDF attachment called “Invoice-3255753442.pdf””
  • [T1566.002] Phishing: Spearphishing Link – The decoy redirects to the legitimate Booking site while displaying a URL path that seems connected to the file and triggers malicious downloads. “redirects to the legitimate Booking website main page while displaying a URL path that seems connected to the file (booking[.]com/#lnvoice-3255753442.pdf) … two malicious JavaScript files are downloaded”
  • [T1189] Drive-by Compromise – Accessing the malicious URL results in downloading two JavaScript files and contacting a known malicious site, illustrating a drive-by style compromise. “two malicious JavaScript files are downloaded to the machine … (from) mainhotel5may[.]blogspot[.]com”

Indicators of Compromise

  • [Domain] context – booking-secure928[.]com, hotel-housekeeper[.]com, agodabooking[.]top, mainhotel5may[.]blogspot[.]com
  • [URL] context – cloudflare-ipfs[.]com/ipfs/QmZYCr9qyyq2UwPfDvDMyiNGedAsGLgphvaNReTTBMCRiS
  • [Email] context – noreply@b00king[.]biz
  • [File] context – Invoice-3255753442.pdf
  • [Malware] context – AgentTesla

Read more: https://blog.checkpoint.com/security/protect-yourself-from-summer-vacation-scams-stay-cyber-aware-during-your-vacation/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint