Expedia, a well-known online travel agency, has sent an email to a limited number of users, warning them that an attacker is posing as a company representative sending emails and SMS messages to try to steal money. Researcher Bob Sullivan posted a screenshot of this email on his blog.
It was not a generalized phishing attack but something more personalized, the attacker had some information such as the name, phone, email and reservation codes of their victims.
This reduced number of affected users made it possible to determine that the information had been stolen from a particular hotel, the attacker somehow obtained the credentials that the hotel used to access the Expedia system and thus stole the information from customers who had made reservations Recently.
Security in hotel networks is not always the best, finding outdated routers or default passwords is normal, so the situation is not very surprising. It should be clarified that the stolen data did not include the credit cards, since this information is handled securely by Expedia internally.
With this agency you can buy plane tickets, book hotels, rent a car, among other things, it is one of the most used in the world and users are usually used to making hundreds of dollars transactions before traveling. Having some specific information about them, it is not difficult to imagine different ways to trick them into trying to get money.
Some users, for example, are receiving phone calls informing them that they won a trip for $ 2,600 and asking for their cards to confirm check-in at a resort. These deceptions are generalized, have no relation to the previous one, but it is a clear example of how they can make you fall into the trap.
We must be vigilant and never provide personal or sensitive information by phone or email. When in doubt, the ideal is always to contact companies through their website or social networks, as can be seen below in an exchange of tweets:
@Addi_James breach by Expedia as the phone calls are targeting US and Canadian citizens in general not just Expedia customers. In fact, …
– Expedia (@Expedia) June 24, 2015