Major Travel Brand Shines Spotlight on Weak Partner Security Issues
Phishing Scam on Expedia Customers Underscores Third Party Breach Issues
Update: Trump Hotels is the latest carding victim, reports security journalist Brian Krebs. Krebs outlines how Trump is one victim in a string of hotel, restaurant, and other retail establishments being targeted in 2015.
Another week, another big brand’s customers are targeted through a third party.
The latest unfortunate victim is travel company Expedia who confirmed that phishing attempts on customers are happening, and that actual customer data was stolen from an unnamed hotel partner. The customer information is being used in spear phishing attempts aimed at obtaining credit card information of unsuspecting consumers.
To say that the travel industry relies on third-party partnerships in 2015 would be an understatement. Use of the Internet combined with a plethora of business models that take advantage of aggregation algorithms and digital partnerships to fuel revenue have given consumers a bevy of low cost- and easy-to-package- travel options. These options are rife with fraud, phishing schemes, and identity theft. The technology of travel partners have become easy targets given the propensity of legacy infrastructure and inadequate security approaches .
“The recent breach that came through a third party hotel should come as no surprise, most hotels run antiquated infrastructure on critical server components,” said Heid. “A Windows XP machine as an employee workstation is still a common sight, even in 2015; The booking systems that are linked into these terminals are assumed to be on closed networks, but often have public-facing applications that can be identified.”
Expedia Rates a ‘D’ for IP Reputation, ‘F’ for Network Security, a ‘B’ Overall
A peek in to the SecurityScorecard platform revealed Expedia has some issues in a couple very specific security categories including IP reputation and network security. Given that Expedia did not name the hotel partner that was the original source of the breach, we could not report on that specific security posture, however, Expedia does look like there are several issues including our identification of Solar malware. Solar malware has self-debugging capabilities, and is used in DDoS attacks and data stealing from web forms. The travel commerce website rates decently, however, in other categories such as DNS health, and patching cadence.
“These successful breaches are probably more common than revealed, as most perpetrators abscond with the data and monetize it in the stealthiest way possible, whereas the attackers in this incident decided to be very noisy by spamming out phishing emails to harvested credentials, which alerted suspicions of affected parties,” said Heid.