back to article Crumbs! Holiday phish based on genuine hotel booking surfaces

Scammers have launched a devious phishing campaign aimed at tricking customers of targeted hotels into transferring funds to a drop account. Securobods suggested cybercrooks either hacked into a Spanish hotel's system or persuaded someone to hand over customer records on a false pretext before using the purloined details to …

  1. Neil Barnes Silver badge
    WTF?

    From the other side...

    I was convinced I was being spammed when I attempted to make a web-booking of a Best Western chain hotel in Italy recently...

    Having passed through the web payment scheme (using a credit card) and believing the booking to be complete, I then received an email from the hotel asking for faxed scans of my passport and credit card.

    Alarm bells rang.

    I was not a happy bunny, given the obvious risks involved, and eventually involved BW corporate - whose conclusion was (a) it was genuine and (b) they didn't have control over local operations - and the CC company, who were less than amused but didn't flag it as fraudulent. The hotel claimed that this was an Italian money-laundering regulation...

    We eventually compromised on a scan of my driver's licence, and enjoyed our stay.

    Nonetheless, the whole *point* of a web-based credit card payment is that it is complete unto and of itself; the risk is with the CC company if the card is reported stolen. Behaviour like the hotel's, whether government mandated or not, simplifies matters no end for scammers.

    (I never liked handing my passport over, either.)

    1. PCS

      Re: From the other side...

      You've obviously never dealt with hotels in Russia.

      'Nuff said.

      1. Destroy All Monsters Silver badge

        Re: From the other side...

        You've obviously never dealt with hotels in Russia.

        Before or after booking?

        In before "I was beaten up and relieved of my cash in the elevator and then it turned out Natasha had given me the clap"

  2. heyrick Silver badge

    just go to your bank and send a wire transfer to our account below

    ...and it doesn't seem strange to buy a holiday in Spain and pay to Poland?

    1. Pascal Monett Silver badge

      Indeed. I am just back from a holiday trip to the US. I had booked and prepaid a hotel room in Los Angeles via a web site that I supposed was a US entity - since it was the hotel site. I was very surprised when a charge showed up on my credit card details for a certain sum in dollars from an entity based in Hungary.

      I was able to match that line with the hotel room cost, but only after I had found an obscure reference to the bank name on my confirmation email. Nothing explicitly said my transaction would be handled in yet another country, and the total was not exactly the same.

      This is not good customer service. People should know exactly how their online transactions are being handled, and ideally the receiving bank should be clearly labelled.

      I am fast becoming a devoted follower of the IBAN transaction method. Seems much safer to send the money via bank transfer than to use credit card details that can be scammed.

      1. Jan 0 Silver badge

        @Pascal Monet

        I'd use IBAN more if my building society didn't charge me GBP 25 per transaction.

        Are there cheaper ways to use IBAN?

        1. Detective Emil

          Re: @Pascal Monet

          Well, you could do your homework (as I have not), and find out whether your building society is breaking EU law: see http://en.wikipedia.org/wiki/Wire_transfer#Regulation_and_price

          1. Jan 0 Silver badge

            Re: @Pascal Monet

            Thanks for that URL The fee is now GBP 20, but what one is paying for is a "SWIFT transfer", so they may have some wriggle room. Is there a simpler way to use IBANs? I'll discuss this with my building society.

      2. david drysdale

        I booked a hotel in Romania through Hotels.com and ended up paying a Turkish agency in Turkish Lira.

      3. Joe 35

        I am fast becoming a devoted follower of the IBAN transaction method. Seems much safer to send the money via bank transfer than to use credit card details that can be scammed.

        ======

        I wonder what definition of "safer" you are using when you think:

        1. pay by bank transfer, money is irrevocably gone, and if actual fraud rather than rubbish service is happening, is transferred between several accounts and becomes untraceable and you have no comeback in either case.

        is safer than

        2. pay by credit card. If its a scam, you get your money back.

    2. Denzel

      Re: just go to your bank and send a wire transfer to our account below

      Not really - they were booking through Booking.com, essentially a travel agent.

      If I book a holiday with car hire, flights, hotel etc through a travel agent I pay a single lump sum to the agent (into their bank account), and they divvy it up between the individual supplying companies (the hotel, the car rental agency, the airline, the tax man etc).

      Just because the hotel is in Spain in this instance, doesn't mean the intermediary agent has to have a bank account in that country.

    3. VinceH

      Re: just go to your bank and send a wire transfer to our account below

      "...and it doesn't seem strange to buy a holiday in Spain and pay to Poland?"

      The problem is that a hotel might be part of a chain or group, and in such cases its the parent company that really takes the money (even if the hotel itself handles the transaction), rather than the hotel itself - so a hotel in one country might be part of a chain owned by a company in a completely different one.

      Booking.com don't help matters with their approach: They don't take your money, only your card details, and pass that information on to the hotel so that they have your card details ready in order to process your payment, and they charge the hotel commission which is usually taken (in one lump sum for all bookings in a month) by direct debit from the hotel. This simplifies things greatly for booking.com, since they don't have to process card payments.

      It's a clumsy approach because it means when making a booking you aren't just talking directly to a payment processor/gateway; you're trusting two companies with your card details: booking.com, who you hand them over to in the first place, and the hotel - and because payment is therefore not taken straight away (even a partial payment, such as a deposit), the system is ripe for a scam of this sort.

      As mentioned in the article, it seems unlikely booking.com are the source of the details here, otherwise there'd be a lot more noise about it - so it's likely to be the hotel, but the question is: is it details of bookings stored at/by the hotel that have been compromised, or is it the hotel's connection (i.e. access details) to their booking.com account? (I'd presume the former, otherwise the card details themselves would have been compromised and the problem would be CC fraud).

      1. Joe 35

        Re: just go to your bank and send a wire transfer to our account below

        As mentioned in the article, it seems unlikely booking.com are the source of the details here, otherwise there'd be a lot more noise about it

        =====

        The noise is happening. Three or four more reports now on Trip Advisor.

        All different hotels, all booked via booking dot com.

        I'd say its pretty clearly a breach at booking dot com

  3. Anonymous Coward
    Anonymous Coward

    The issue stems from one simple fact. Most hotels use e-mail and fax (yes FAX!) to confirm their bookings from the booking engines. All a scammer needs to do is intercept that confirmation e-mail or fax and voila they have all the details they need to extract the cash from you. (easy enough considering how secure most hotels reception areas are)

    They can even sign up to the various bedbanks and input the hotel details and make themselves the main contact for bookings (there is little in the way of confirmation checks done to make sure you are authorised to enter the information). They will simply forward all bookings to the hotel at the rate specified, get a kickback from the hotel, then rip off the customers a few weeks after they have collected all the details they need. If they time the withdrawing of funds with the persons trip most people will simply put it down to being ripped off by those "orrible forins" as well.

  4. Tom 35

    Outsourced

    Outsourced data processing maybe?

  5. Dodgy Geezer Silver badge

    Covering all bases..

    ...Ferguson said the person running the account is either a knowing or unwitting participant in the con....

    Um. What other options are there?

    1. DNTP

      Re: Covering all bases..

      He has never closely examined factual material to self-determine if he is participating in a con, and thus can state no probability that he is or is not participating in a con. (I got this answer from a book on probability in medical genetics explaining different ways patients can be lacking certainty about their own conditions).

      Since we're on hotels, here's a question: Why is there a hotel called the "Four Seasons" in Singapore? Singapore only has, at best, 1.5 seasons.

      1. Allan George Dyer

        Four Seasons Re: Covering all bases..

        They want you to stay 32 months?

  6. Joe 35

    There is a report in Trip Advisor today same scam entirely different hotel (The Rockwell in London).

    Booking dot com initiated booking again though.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like