Blog

Informative, up-to-date and exciting – the Oneconsult Cybersecurity Blog.

Fraudsters Don’t Go on Holiday – The Social Engineering Trap
Tabea Nordieker
|
15.02.2023
(updated on: 09.09.2024)

When you think of going on holiday, the first thing that comes to mind is relaxation. You leave the stress of everyday life behind and just want to enjoy the days off. Unfortunately, even on holiday you are not safe from scammers, and awareness is key in protecting yourself.

The danger of social engineering lurks even in the most beautiful places in the world. To make sure that your next holiday doesn’t turn into a nightmare, we would like to share the following story with you.

Fraudsters Don't Go on Holiday - The Social Engineering Trap

What Happened?

Recently, we were contacted by a hotel asking for an assessment on an incident. A guest had fallen victim to credit card fraud during their stay and the hotel wanted to ensure that no compromise of their systems had occurred. The attackers took advantage of a sophisticated yet simple fraud scheme based on a social engineering attack on room service, followed by a fraudulent call to the guest himself.

It all started with a call to room service. This call was forwarded from the main number, since room service cannot be reached directly. The caller posed as a technical support employee of a company that sells cash register systems for hotels. It is interesting to note that although this is a widely used provider in the hotel industry, the system in question was not in use at the hotel. The alleged support employee inquired about open bookings in the system (orders with the room service, which were not yet finally settled), under the guise of checking whether everything was functioning properly. According to the hotel’s staff, no confidential information was released, but this could not be confirmed beyond doubt.

After this the scammer called the guest directly in the hotel room. The caller posed as room service and asked the guest to order breakfast. The attacker then stated that there were problems with the credit card on record and the guest was asked to share his credit card information again. The guest then, in good faith, gave out his credit card information over the phone. When he noticed a foreign booking from his credit card sometime later, he contacted the hotel, and this is how the incident came to light.

Assessment of the Situation

According to the hotel’s initial description of the incident, two scenarios are theoretically possible:

  • The hotel’s systems have been compromised. The attacker has access to the booking data and guests’ personal information.
  • The hotel was not compromised. The necessary information for the credit card fraud was obtained through social engineering, possibly in conjunction with open-source intelligence (OSINT) research.

Based on the sequence of events, a social engineering attack seems more likely. If an attacker has access to the hotel’s systems, a call to room service would probably not have been necessary, since the data could be viewed by the attacker. Moreover, several customers would probably have been affected. In addition, if compromised, other attack scenarios would be expected, which would also be more lucrative, such as data theft or encryption of data with subsequent blackmail. To be able to absolutely rule out a compromise, an in-depth forensic investigation is required. However, it should always be weighed up on a case-by-case basis whether the cost of such an analysis is commensurate with the potential benefits.

Since the fraudsters contacted the hotel and the guest through telephone calls, it is worth taking a look at the telephone system’s log files. With the help of these logs, it can be identified where these calls came from and whether further guests were affected, who can at least be warned.

Another immediate measure already implemented by the hotel is to redirect all incoming calls through the main number. This creates another barrier to bypass before a guest can be tricked into sharing credit card information. This allows front desk staff to screen calls in advance and provide initial information to the guest as they are forwarded. Of course, this “human firewall” principle is only effective if employees have been previously sensitized through cyber security awareness training.

For your personal security, it is best not to give out credit card information over the phone unless you’ve verified the caller’s reputability and identity. If someone calls and asks for your credit card number, hang up and call back using a publicly listed number to ensure the person on the other end is legitimate.

Even though this incident relates to the hotel industry, a similar attack procedure is quite conceivable in other sectors. The recommended measures can thus be applied analogously in other businesses in the service sector. Is this perhaps your next scenario for a tabletop exercise?

Conclusion

Fraudsters lurk everywhere, even in places you wouldn’t expect. Attackers are always coming up with new scenarios to trick a potential victim into giving out confidential information. The only way to protect yourself is to stay alert and follow the best practices.

Do you still have questions or are you interested in a cyber security awareness training? Further information can be found here: Security Academy. We look forward to hearing from you!

Author

Tabea Nordieker joined Oneconsult AG in Zurich in July 2022 as a Digital Forensics & Incident Response Specialist, where she supports clients in resolving cybersecurity incidents. In addition to her Master’s degree from the University of Lausanne in Digital Forensics, she is GIAC Certified Forensic Analyst (GCFA) and Blue Team Level 1 (BTL1) certified.

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 6:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts