Make sure to set 2FA for all your (Booking.com) accounts. That will reduce the chance of being hacked big time!

Hi @mdemmers,

make sure to check which data was exported from Mews.

Queues → Exports

Hackers might only contact booking reservations, even though data was pulled for all reservations.

Look for reservation reports for an unexpected long timeframe.

There are fake login sites which look like Mews, which made it to the first site of google.

Greetings,
Eric

Hi,

we know the problem and have had problems with booking 4 times within a year. First the messages came via extranet, now via SMS. Unfortunately, booking is not really interested in the problem. If you report the problem to booking, you are only advised to change your password. 
I don't think booking is doing enough about this, as there are guests who blame the hotels rather than booking.com. This also damages the reputation of the hotel.
I can imagine how the phones are now ringing every minute.

• Hi @mdemmers 
  
  This is a well known problem and we have it with several customers.
  
  Our findings so far are
  
  - The attacker tries over emails looking like booking.com or through fake websites in google (f.e. booking.co instead of booking.com) to deviate the user to a website looking like the booking.com login screen.
  - On this screen, the user then enters username, password and 2FA, and is logged into booking.com (the user does not recognize he has been hacked)
  - With the same credentials, the attacker can then login within the expiry time of the 2FA to booking.com and starts sending the data.
   
• This is called a man-in-the-middle attack in technical terms and 2FA cannot prevent it in most cases.
  
  Recommendations are
  
  - Immediately start a detaied log of operational actions you undertake once you became aware of the incident (actions, owner with date and time). Data protection officer and authorities will ask for this.
  - Change all passwords immediately on booking.com
  - Remind users to never google booking.com login site or click in emails to login, but only use bookmarks from the browser or verified URL’s
  - Be aware that 2FA does not provide security against this
  - Inform booking.com account manager, while in our experience they normally do not tell you a lot
  - Inform your data protection officer to judge if you need to file an official information to authorities. This is time-critical, as authorities only give you a certain period until submitting the first information.
  - Start informing guests over booking.com messages
  - Run a network scan for strange activity on the local network. In our experience, the attack always came from the outside and no data was captured from the inside, but good to check anyway
  - Run a virus scan on the PCs
  - Potentially inform your cyber security insurance as some of them require a timely information within their policies. Often they also have good guidelines and offer help in remitting the incident.
  
  Best, Marc
  
  
   

@Eric Kröll 

You are right.

Thanx for this, hopefully we can still fix this.

Hello!

There is a special page where you can submit the info about your security incidence to Booking.com.

https://partner.booking.com/en-gb/help/legal-security/security/report-security-issue

Best regardsm

JP.

Thank you @marc agilotel for pointing this out!! This is so important to know for everybody! 2FA is only a half-secure solution, even though it’s a significant improvment. The same applies to the MEWS login! There has been so much ado about 2FA for MEWS in the recent month, and the most important thing to know about this is, that it’s only a short term slightly improved security! Adversaries will catch up with more refined methods. There must be a move to phishing resistant passkeys and conditional access systems (like it’s available for MS Entra, too, for example) where access is granted only for allowed IP ranges, and login attempts from outside those IP ranges must be scrutinized and monitored closely/alerted!

MEWS, do you see the writing on the wall! There is no time to rest - more secure and comfortable authentication must be deployed soon.

Booking.com could also show more concern for a more robust phising resitstant authentication system - they too should implement passkeys and conditional access methods. IMHO, failure to do so might borders to negligiance by now … this scheme has been happening since month again and again across the hotels around the world. An the problem is actually partially created by booking.com, because we don’t get the direct email. No one would need stupid, unreliable, and inconvenient “booking.com messaging” in the first place, if we got the contact details.
The only reason why booking.com accounts are accessible to so many hotel staff is that it’s required to answer guest communications. If that was not the case, maybe only a smaller selected group of poeple needed access and the attack surface would be minimized. And to add insult in injury, booking.com sends real emails with links to click on to respond to inquiries or certain requests! At the same time they ask us to only use bookmarks to access the extranet…?!?

There was even a warning in a local consumer protection newsletter, see  https://www.watchlist-internet.at/news/booking-neuerliche-zahlungen/  - many hotels, us included, are sending out real payment requests if the MOTO Transaction with the booking.com submited guest credit card fails for some reason. Now, let’s hope that all this does not converge to an even more locked down OTA world, where we hotels will be left no chance to communicate, let alone collect payments on our own, directly with the guests. Mark my words, we will see a future where we are required to accept payments by booking.com (booking sponsored benefits included), and are locked out from communicating with our gests, because of ... reasons.

So it’s highly important to get our act to gether to

• keep pushing for more secure, yet convenient and practicable authentication
• freedom to communicate with the guests directly and get the direct contact details as soon as possible from the OTAs.

Regards,

Jean-Philipp.

Hello @mdemmers,

All of the above security measures are important, but the most important thing you can do in this situation is to restrict Booking.com messaging service to accept messages from all email addresses except yours.

This feature was somehow never advertised, even the account manager did not tell us about it, but it will immediately stop any malicious messages being sent to guests.

You can set up the restriction from which email address a guest could be messaged: Booking.com Extranet > Property > Messaging Preferences > Security Settings.

This will prevent any third parties to send messages to your guests immediately even if your system has been compromised or your reservation data has been leaked!

If you need, you can also set up all URLs that could be sent to the guests!

Detailed info: https://partner.booking.com/en-us/help/legal-security/security/all-about-our-messaging-security-settings

I hope it helps!  

Zoltan

@szaboz Thanks so much - this is super useful and not well known in my experience!

In our organiztion they have decided a different approach. Making people aware of these kind of attempts. It is called “Prevantion by awarness”.

All people who have access to a computer are receiving training how to identify a phishing mail and attempts for hacks. Every month we receive a training module , with video and we complete the module by making a test.

We also can repeort suspected phishing mail to our ICT an they can block such email to all the organization.

Some tips to recognize a phishing mail:

• Email is not coming from Booking.om
• If you press on the link with right button of your mouse, you can see that the link is not leading to Booking.com site.
• Speaking in general terms or pretending some misconduct in your property, without specifying the name of the guest or reservation number. All emails from Booking.com about a guest,  come with a name, dates of stay and Booking.com reserrvation number.

Booking. com doesn't care about this, their security level is not up to the standard it should be, and we are left with consequnces of a security breach.

Also make sure to check your automated messages on the extranet.

We’ve had had a similar issue this summer, where the attackers actually got access to our accounts through a third party (booking.com partner) account, and managed to set up automated replies to our guests with requests for credit cards and bitcoin.

Nothing we could have done to prevent this, but still a big risk to our reputation. And disastrous for our workflow, as we work with online check-in only. Try explaining your guests to not click the phishing link but do click our own link where we ask for your credit card. They will not

Booking.com has been under serious attacks this whole year, and so far, they’ve done very well to keep it out of the media. And we have seen some panicky extra security measures being deployed. But it doesn’t seem like they have the actual problem under control yet.

Hackers got access to some of our Mews accounts through the fake login site of Mews before the 2FA was set to mandatory.

They downloaded the reservations report for longer period of time. This is known to all of you probably. However recently guests were also approached by Whatsapp / SMS that their booking was not confirmed, etc. 

We thought our accounts were hacked once more, only I found out that the hackers were re-using the reservations report and also sending it to guest whose booking had been cancelled in the meantime. 

So this might be worthwhile checking as well in case guests get these kind of messages.

For everybodies reference; this does NOT work as described. We even tested with ‘block all communications’ and still (some, not all) messages came through… and Booking.com only replies with ‘change your password'.. 

The functionality of whitelisting also does NOT look (as it appears) at DMARC or SPF records; so if and when criminals would e.g. spoof your email address it would simply come through, and the one thing thats becoming more and more easy to do now ís spoofing!

Hi!

Seems to be a really widespread issue now. Booking.com even made it to Krebs on Security …!

JP.

Hey folks - thank you all for the ongoing discussion and diligence from our community, it makes it so much easier for us all to combat this together.

Thought I’d share a couple of insights on all of the topics.

As people know, we’ve had a rise in phishing incidents within the hospitality industry over the past few months, and Mews has been targeted along with a number of other growing hospitality sites.  As highlighted in this thread, it is an incredibly widespread and co-ordinated set of events against our whole industry.

The primary attack vector that is being used is what we’d call typosquatting phishing - that is, they’re standing up fake websites that look and feel like the real thing (e.g. app.meows.com as opposed to app.mews.com).  They then pay google to appear top of the search results for things like ‘mews login’, so that your hotel staff are more likely to get the fake ad, and so be directed to the fake phishing site.

We actively remediate this as they are detected, and so can minimise the impact for our customers, but it still doesn’t prevent one of your hotel employees from giving over their credentials.

As already highlighted, 2FA is not a silver bullet on this - typically, someone willing to give over their username and password to an attacker is also likely to give over their 2FA code.

Some share on some of the things we’ve done/are doing to mitigate these attackers.  This is very much an endless game of chess in the hospitality industry unfortunately though, as the attackers can and will pivot approach.  Our aim is to create as many layers of security as we can (Defence in Depth) to reduce the likelihood of attack, and mitigate the impact of any attack that is seen.

Activities

Some of these are current, some of them are prioritised on our roadmap, but larger initiatives.

• 2FA everywhere - as already highlighted, there was a big push to ensure 2FA across our whole customerbase after this phishing campaign started.  Although not 100% effective, it helps massively to mitigate.
• Frustration Techniques - we have modified areas of the software to make attack less effective.  E.g. removing the ability to see personally identifiable information if you don’t have 2FA enabled.
• Device Detection - folks will have seen we rolled out device detection recently, and so you get an email when you login to the site highlighting if it comes from a new location.  This was expanded in the past week to improve reliability, and we are now exploring device approval (so that login only happens if you approve the new location/device).
• Improved Access Controls - improving overall role based access in the product so that (for example) housekeeping staff only have access to those areas of the product that they need. 
• Improved Identity - rolling out an identity solution across our whole ecosystem, so that there is a single login for all of our products.  The added benefit on this is that it also will come out of the box with things like support for passkeys mentioned above, and many other aspects of securing identity.
• Improving Self-Serve Visibility - enabling you to better review activity taken by your staff across the product

This is just some of the high level, but there are a number of other areas that we are also focusing in on. All of the discussion on threads like this feeds into our roadmap for consideration, so it is really appreciated.

Cheers,

Terry