Beware of Fake Reservation Links Targeting Exhausted Travelers

The travel industry has been reeling under the impact of COVID-19 and the subsequent disruptions. The latest threat comes in the form of fake reservation links that are being used by cybercriminals to target the travel and hospitality industries. The threat group identified as TA558 is reportedly behind this campaign. According to security researchers, TA558 has resumed its activities and is exploiting the uptick in travel and related bookings. The group has revamped its 2018 campaign with fake reservation emails containing links that, when clicked, deliver malicious malware payloads.

PREVIOUS TA558 CAMPAIGNS

TA558 has a lengthy history of targeting industries related to travel or hospitality, primarily located in Latin America, North America, and Western Europe. The group has used socially engineered emails to trick their victims into clicking on links or documents. The emails are most commonly written in Portuguese, Spanish, or English, and typically relate to hotel reservations. In previous attacks, the group has leveraged vulnerabilities in Microsoft Word’s Equation Editor to download Remote Access Trojans (RATs) like Loda or Revenge RAT to the target system.

NEW CAMPAIGN BY TA558

TA558 has shifted its attack strategy to include the use of ISO and RAR files, likely due to Microsoft’s announcement in late 2021 and early 2022 regarding the disabling of macros by default in Office products. The campaign tempo has increased significantly in 2022, with 27 campaigns using URLs to deliver malware, as compared to only five campaigns between 2018 and 2021. Malware payloads typically include RATs such as AsyncRAT, which can enable reconnaissance, data theft, and distribution of follow-on payloads.

INFECTING THE TRAVEL INDUSTRY

The goal of TA558 has always been financial gain. The group uses stolen data to scale up and steal money. It is possible that the compromises could impact both organizations in the travel industry, as well as the customers who use them for vacations. Malware payloads can include RATs that establish remote access to the victim’s system. These RATs provide a backdoor to the attacker, enabling them to collect data and potentially steal customer payment information and other sensitive data. All industries, especially those operating in targeted sectors in Latin America, North America, and Western Europe, should be aware of TA558’s tactics and take precautions to protect themselves.

PROTECTING AGAINST TA558

Organizations in the travel industry, especially those in Latin America, North America, and Western Europe, should adopt a multi-layered approach to mitigate the risk of attacks by TA558. Security measures should include staff training on security awareness, keeping antivirus, and security tools up to date. In addition, organizations should also implement data backup policies, implement policies to enforce the use of multi-factor authentication (MFA), and limit access control to vulnerable assets.

TA558’s campaign of fake reservation links preying on weary travelers underscores the need for the travel industry to be vigilant against cyber threats. The industry needs to protect itself and its customers from the menace of cybercrime by adopting proactive measures against cybersecurity breaches. As more people venture out to travel post-COVID-19, they should be made aware of the need to be extra careful while booking travel reservations online. Through necessary precautions and highly effective security measures, the travel industry can ensure a much safer and secure environment for all.