Product News

Find out about our new product features, the latest platform changes, and discover company announcements before anyone else.

Risk Management

Stay up to date on third-party risk management best practices and techniques, and learn about new regulations for third party risk.

Security Research

Keep up with research around the biggest data breaches, malware infections, IoT risks and all the latest news in cybersecurity.

Major Travel Brand Shines Spotlight on Weak Partner Security Issues

Phishing Scam on Expedia Customers Underscores Third Party Breach Issues

Update: Trump Hotels is the latest carding victim, reports security journalist Brian Krebs. Krebs outlines how Trump is one victim in a string of hotel, restaurant, and other retail establishments being targeted in 2015.

Another week, another big brand’s customers are targeted through a third party.

The latest unfortunate victim is travel company Expedia who confirmed that phishing attempts on customers are happening, and that actual customer data was stolen from an unnamed hotel partner. The customer information is being used in spear phishing attempts aimed at obtaining credit card information of unsuspecting consumers.

“Expedia has been targeted since their inception by the underground seeking to make use of stolen credit cards to purchase flights, hotels, and vacation packages,” said SecurityScorecard’s Chief of Research, Alex Heid. “Carders will often discuss methods on forums as to the best ways to make use of CVV [Card Verification Value] data through the Expedia website, and other similar travel sites.”
News of third party involvement came from consumer advocate, Bob Sullivan, who wrote the following:

 

 Sarah Gavin, head of communications at Expedia, says the data was not stolen from Expedia, but rather a third party. The data was stolen by a criminal who successfully phished a partner hotel and obtained that hotel’s login credentials, and subsequently stole names and other information about consumers who had used the Expedia system recently to book a stay at that hotel.  The theft was limited to consumers who booked at that hotel, which she declined to identify.

 

To say that the travel industry relies on third-party partnerships in 2015 would be an understatement. Use of the Internet combined with a plethora of business models that take advantage of aggregation algorithms and digital partnerships to fuel revenue have given consumers a bevy of low cost- and easy-to-package- travel options. These options are rife with fraud, phishing schemes, and identity theft. The technology of travel partners have become easy targets given the propensity of legacy infrastructure and inadequate security approaches .

“The recent breach that came through a third party hotel should come as no surprise, most hotels run antiquated infrastructure on critical server components,” said Heid. “A Windows XP machine as an employee workstation is still a common sight, even in 2015; The booking systems that are linked into these terminals are assumed to be on closed networks, but often have public-facing applications that can be identified.”

Expedia Rates a ‘D’ for IP Reputation, ‘F’ for Network Security, a ‘B’ Overall

A peek in to the SecurityScorecard platform revealed Expedia has some issues in a couple very specific security categories including IP reputation and network security. Given that Expedia did not name the hotel partner that was the original source of the breach, we could not report on that specific security posture, however, Expedia does look like there are several issues including our identification of Solar malware. Solar malware has self-debugging capabilities, and is used in DDoS attacks and data stealing from web forms. The travel commerce website rates decently, however, in other categories such as DNS health,  and patching cadence.

Expedia

“These successful breaches are probably more common than revealed, as most perpetrators abscond with the data and monetize it in the stealthiest way possible, whereas the attackers in this incident decided to be very noisy by spamming out phishing emails to harvested credentials, which alerted suspicions of affected parties,” said Heid.





How SecurityScorecard Works



U.S. Military Manufacturer Experiences Data Breach
Banking Malware Trends Q1/Q2