Beware: Scam Alert – Fake Reservation Links Target Travelers

Fake Reservation Links Prey on Weary Travelers

Introduction

In recent months, weary travelers have been increasingly targeted by a threat group known as TA558, which has been exploiting the rise in travel and related bookings to launch cyberattacks. Security researchers have identified a distinct shift in tactics, with TA558 using fake reservation emails that contain malicious links, leading to compressed files that, if executed, deliver a payload of various malware variants. This report will examine the details of this recent campaign, discuss the motivations and history of TA558, and provide advice on how to protect against such attacks.

The Rise of TA558

TA558, a threat group that has primarily targeted organizations in the travel, hospitality, and related industries since 2018, has recently ramped up its activities. After a period of relative inactivity, likely due to COVID-related travel restrictions, the group has resumed campaigns aimed at exploiting the surge in travel and bookings. Security researchers have observed a new tactic employed by TA558, involving the use of RAR and ISO file attachments linked to fake reservation emails. These attachment types, when decompressed, deliver a payload of malware, such as AsyncRAT, a remote access trojan (RAT).

The Shifting Tactics of TA558

Proofpoint, a leading cybersecurity company, has noted a significant increase in the use of URLs by TA558 in 2022. Compared to just five campaigns between 2018 and 2021, TA558 conducted 27 campaigns using URLs this year. Typically, these URLs lead to container files like ISOs or RARs, containing executables that, if executed, trigger the malware payload. The group seems to have shifted to ISO and RAR files as a result of Microsoft disabling macros in its Office products by default. Previous campaigns by TA558 had leveraged malicious Microsoft Word document attachments or remote template URLs to deliver malware.

The Financial Motivation

The primary motivation for TA558 appears to be financial gain. By using stolen data, the group aims to scale up their operations and steal money. While their focus has been on organizations in the travel industry, their activities could potentially impact customers who have used these organizations for vacations. Sherrod DeGrippo, Vice President of Threat Research and Detection at Proofpoint, urges organizations in the travel and related industries to be aware of TA558’s activities and take precautions to protect themselves.

A Brief History of TA558

Since its emergence in 2018, TA558 has primarily targeted organizations in travel, hospitality, and related industries, with a particular focus on Latin America. The group initially relied on socially engineered emails, often written in Portuguese or Spanish, to trick victims into clicking on malicious links or documents. These emails typically appeared to be related to hotel reservations, with subjects such as “reserva.” In their early exploits, TA558 exploited vulnerabilities in Microsoft Word’s Equation Editor, such as CVE-2017-11882, to download RATs like Loda or Revenge RAT onto target machines. Over time, the group expanded its tactics to include malicious macro-laced PowerPoint attachments and template injections against Office documents. TA558 also broadened its targeting to encompass English-language phishing lures.

Protecting Against TA558 and Similar Threats

Organizations operating in the travel, hospitality, and related industries, particularly in Latin America, North America, and Western Europe, need to be aware of TA558’s tactics. It is crucial to implement robust cybersecurity measures and educate employees about the risks of clicking on suspicious links or opening attachments from untrusted sources. Regular security awareness training, strong email filtering, and up-to-date software patches can help mitigate the threat of TA558 and similar cyberattacks. Additionally, travel industry organizations should consider conducting periodic vulnerability assessments and penetration testing to identify and address any potential security weaknesses.

Conclusion

The recent surge in travel and related bookings has provided fertile ground for cybercriminals like TA558 to exploit unsuspecting travelers. By employing fake reservation emails and cleverly disguised malware payloads, these threat actors are targeting organizations in the travel industry and potentially compromising the personal information of customers. It is crucial for organizations and individuals to remain vigilant, implement robust security measures, and exercise caution when interacting with suspicious emails and attachments. By doing so, they can help protect themselves against the growing threat of cybercrime in the travel sector.