Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Deno Releases Open-Source Firewall to Limit AI Agent Access to Sensitive Data

Deno has introduced an open-source security framework called Claw Patrol, a tool designed to help organizations control how AI agents inter...

All the recent news you need to know
Spear Phishing
Booking Scam Credential Theft Cyber Threats Guest Data Security Hospitality Cybersecurity Hotel Phishing Payment Fraud Social Engineering Spear Phishing

Fraudsters Exploit Hotel Reservation Records to Deceive Travelers


 

For years, phishing campaigns have relied on urgency, deception, and impersonation to lure victims into surrendering sensitive information. A newly observed threat, however, demonstrates how cybercriminals are increasingly enhancing those tactics with stolen or exposed real-world data. 

Security researchers have identified a large-scale operation in which threat actors leverage legitimate hotel reservation details to create highly convincing phishing messages that appear directly tied to a traveller’s recent booking activity. 

By incorporating authentic reservation information into their communications, attackers are able to bypass many of the warning signs users typically associate with scams, significantly increasing the credibility and effectiveness of the attack. The campaign, which reportedly affects customers linked to hundreds of hotels and vacation rental properties across dozens of countries, highlights a growing trend in cybercrime where access to genuine customer data is being weaponised to enable precision-targeted social engineering and financial fraud. 

By blending seamlessly into legitimate travel communications, the attackers are able to bypass the obvious warning signs of unsolicited email messages. Instead of sending unsolicited emails, the attackers approach travellers based on their current travel reservations. 

A guest relations or customer service department may send messages that seem to originate from the hotel and contain specific booking details that correspond to the guest's upcoming stay. As a routine verification request, payment confirmation, or administrative check, the communication creates a sense of legitimacy that significantly reduces suspicions of the hotel. 

In the recipient's perspective, the interaction resembles correspondence between hotels and guests, which makes the interaction very difficult to distinguish from genuine customer service initiatives. Research indicates that the scheme is more advanced than traditional phishing since it utilises the trust that has already been established by making a legitimate reservation to exploit the system. 

Threat actors may also compromise hotel employee credentials through separate phishing attacks, gaining access to hotel management systems, booking portals, or partner communication platforms through phishing attacks. Criminals can use this access to interact with travellers by using legitimate channels relating to real reservations, which allows them to embed fraudulent requests within trusted processes. Therefore, the attack has evolved from simple impersonation of a brand to the misuse of authentic hospitality infrastructure, thereby giving scammers a new level of credibility.

As a consequence of this evolution, there is a broader cybersecurity concern: social engineering becomes considerably more persuasive and much harder for both organisations and travellers to detect when attackers gain access to trusted business systems and customer context simultaneously. 

Although the exact source of the reservation data is currently under investigation, security experts have concluded that the information is likely to have been obtained as a result of compromises affecting hotel systems, hospitality partners, or third-party booking systems. As opposed to exploiting travellers directly, attackers typically target organisations that manage reservations directly at the onset. 

There are several methods by which hotel employees may be phished, malware-laden attachments are received, credentials are stolen, or booking service providers can be compromised. Once this information is obtained, it can become a powerful asset in social engineering campaigns. According to Cloudbeds Vice President of Engineering, Aaron Ownbey, the effectiveness of these scams is the result of the attackers possessing precise details regarding a guest's identity, travel dates, reservations value, and accommodation plans in addition to their knowledge of a guest's travel dates. 

Through such visibility, threat actors can create communications that closely resemble legitimate pre-arrival interactions, strengthening the call within the hospitality industry for increased employee security awareness, stronger authentication mechanisms against phishing attacks, and stricter controls over the access, export, and sharing of guest information.

Upon analysis of the fraud activity, two interconnected paths appear to be emerging. There is a first method of directly targeting guests, in which travellers receive WhatsApp messages, emails, SMS notifications, or booking-platform communications originating from hotels or guest service departments. 

In response to the fraudulent payment verification portal, victims are directed to fraudulent sites intended to harvest financial information while masquerading as routine account validation processes. This pattern has been notably observed by investigators in incidents related to online booking ecosystems, where genuine reservation information is an important component of creating credibility. 

Several countries have been identified as having been targeted by these campaigns, including the United Kingdom, France, Germany, the United States, Brazil, and Australia, highlighting the threat's international reach. Furthermore, by utilising multiple delivery channels, the operation is not dependent on a single platform, but is rather able to function as a flexible fraud framework that can adapt to any traveller's needs. It is also possible to compromise hotel-side systems and hospitality management platforms, a potentially more concerning attack path. 

When threat actors obtain employee credentials, they are able to gain access to reservations management tools, guest communication systems, and operational workflows. The platforms used to coordinate bookings and traveller interactions can then be exploited to communicate with guests using accounts that appear to be entirely legitimate. Researchers examined several incidents where attackers posed as security teams from trusted booking services and distributed what appeared to be mandatory software or security updates to accommodation partners. 

By delivering remote access malware, the deceptive material enabled further credential theft and deeper penetration of hospitality environments, enabling further credential theft. The criminal can then move beyond simple impersonation within these systems and begin operating through trusted channels that already occur within these systems on a day-to-day basis. As a whole, these incidents reveal an organised fraud pipeline rather than an isolated phishing attack.

A typical fraud attack typically begins with obtaining contextual information, followed by delivering a persuasive message via a trusted communication channel, and directing the victim into an automated payment or verification process designed to appear administrative rather than malicious. The ultimate objective is much greater than the fraudulent transaction itself. 

Payment cards that have been stolen can be used for low-value purchases, reused for larger transactions, or circulated within criminal marketplaces where they can be abused in the future. By combining this model with genuine reservation data and compromised hospitality systems, it becomes particularly difficult for traditional fraud indicators to detect. As these campaigns become increasingly prevalent, they highlight a wider challenge facing the hospitality industry.

Inherently trusted interactions, continuous guest communication, and rapid response requirements are the hallmarks of hotel operations. Messages regarding check-in procedures, payment confirmations, room preferences, and identity verification requests are received regularly by travellers, creating an operational backdrop that attackers can exploit easily. 

Consequently, conventional advice which focuses exclusively on identifying suspicious links or poor grammar is becoming less effective when the communication contains accurate reservation details and may even originate from legitimate business systems. This type of attack relies heavily on trusted context rather than branding or visual deception as its primary weapon. 

No matter which channel the unexpected payment verification request arrives through, it is best to treat it with caution when it occurs. It is important to navigate directly to the official booking service, hotel website, or verified mobile application to complete payment updates, irrespective of whether the message appears within a booking platform, via email, SMS, or messaging application. 

To obtain confirmation, guests should contact the property using information obtained independently from trusted sources rather than embedding information within the message. The individual who has already submitted payment details should assume that the information may be compromised. They should notify their financial institution as soon as possible, replace the affected cards, enable transaction monitoring, and be vigilant for subsequent fraud attempts that may utilise the stolen information. 

As phishing campaigns based on reservations are emerging, they illustrate how cybercrime is evolving beyond mass deception towards highly contextual attacks that utilise trust, timing, and legitimate data. A growing number of threat actors are exploiting compromised business systems as well as customer information, which leads to diminished visibility of traditional fraud indicators, leaving organisations and consumers exposed to risks that are more difficult to identify and prevent.

For the hospitality sector, the incident is a reminder that protecting guest data has become a critical security responsibility, which has direct consequences for customer trust rather than simply a privacy obligation. 

As a traveller, the best way to protect yourself is by verifying through trustworthy channels and exercising a healthy degree of caution in unexpected situations involving payments or sensitive information. As even genuine booking information can be weaponised in such an environment, trust should be anchored in independently verified actions rather than the apparent authenticity of a message.
Read more »
Technology
AI ALPR Data Spying Surveillance Technology

School Buses Could Become Surveillance Vehicles for Government in The US


In the US, school buses may soon become surveillance vehicles, according to 404 media’s report. A review of leaked documents revealed plans to deploy buses with automatic license plate readers (ALPR). 

The data will be allegedly given to government agencies. Already, privacy is a concerning issue amid rising data safety violations. Equipping buses with surveillance cameras will be unconstitutional and national-level spying of citizens in the US. 

About the incident

Bus Patrol, US’ leading provider of school bus stop-arm cameras has  over 40,000 AI-based cameras throughout 24 states. These cameras are allowed in 30 states, and are installed on school buses, and capture images of vehicles violating traffic rules when the bus is stopped. 

The footages captured  by the buses are “recorded, reviewed, and submitted to local law enforcement for review and final approval,” says BusPatrol. 

Stop-arm cameras claim to improve driver behaviour near school buses and student safety, but they have faced backlashes for failing on both ends. Stop-arm cameras also generate millions of dollars for businesses like BusPatrol. 

Currently, the firm plans to increase its data collection, revenue, and teaming with local law enforcement by changing stop-arm camera into ALPRs, as per the leaked BusPatrol documents. 

Why is ALPR system an issue?

ALPR systems are run by firms such as Flock Safety. They record the license plate number of passing vehicles but unlike traffic signals or stop-cameras, ALPR "cameras photograph every vehicle that drives by and can use artificial intelligence to create a profile with identifying information that then gets stored into a massive data base,” said the Institute for Justice (I.J), a public interest law firm. 

The data can be sent to law agencies which might use it for searching a vehicle or driver without requiring a legal warrant. The ALPR cameras fixed on moving school buses will help enforcement agencies to capture every moving vehicle they come across.

Flawed implementation

Without ethical enforcement, these cameras can be exploited. joshua Windham, a senior I.J. attorney, announced a nationwide campaign to oppose the uncontrolled and unconstitutional deployment of ALPR technology. 

Earlier ALPR systems’ data security has come under scrutiny after cases of sharing databases with immigration agencies surfaced despite company policies forbidding it. 

In Kansas, an officer used the data to trace his ex-girlfriend whereas in Texas, officers used the data to search for a woman who got an abortion. Such incidents have caused a few communities to termiate their contracts and discontinue ALPR entirely.

Read more »
Vulnerabilities and Exploits
Authentication Bypass CVE-2026-35616 EKZ Infostealer FortiClient EMS Fortinet vulnerability Vulnerabilities and Exploits

Hackers Exploit FortiClient EMS Flaw to Deploy EKZ Credential-Stealing Malware

 

Cybersecurity researchers have uncovered active attacks exploiting a critical vulnerability in FortiClient Enterprise Management Server (EMS) to distribute a previously undocumented credential-stealing malware known as EKZ Infostealer.

The attacks leverage CVE-2026-35616, an authentication bypass flaw in FortiClient EMS that enables unauthenticated remote attackers to execute arbitrary commands or code through specially crafted requests. The vulnerability stems from improper access control mechanisms and has been actively exploited in the wild.

Threat actors reportedly disguised the malware as a legitimate Fortinet endpoint update and delivered it through VPN scripting workflows managed by FortiClient. Fortinet acknowledged the exploitation of the flaw in early April and subsequently issued emergency hotfixes for versions 7.4.5 and 7.4.6 of the software.

Following reports of malicious activity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) instructed federal agencies to secure vulnerable systems within days. Around the same period, The Shadowserver Foundation identified approximately 2,000 internet-exposed EMS instances.

Researchers at Arctic Wolf recently observed threat actors using the vulnerability to deploy the EKZ Infostealer. According to the company, attackers begin by abusing endpoint APIs to carry out administrative actions without requiring authentication.

After gaining access, the attackers alter EMS configurations and VPN policies to enable the execution of malicious scripts. Once an endpoint establishes an IPsec connection with a FortiGate firewall, the legitimate FortiClient process, fortitray.exe, launches malicious batch scripts through Command Prompt.

These scripts then execute a Base64-encoded PowerShell payload that downloads malware disguised as a Fortinet software update. The payload subsequently collects data from the victim's device and sends it to an attacker-controlled virtual private server (VPS) over HTTP.

“Rather than relying on a generic malware lure, the payload was presented as a Fortinet endpoint update and executed through FortiClient-managed VPN scripting workflows,” reads the report from Arctic Wolf.

“On affected endpoints, FortiClient components launched command scripts that invoked PowerShell, downloaded a credential stealer, executed it silently, and exfiltrated harvested browser data before removing local artifacts.”

The malware, tracked as EKZ Infostealer, is designed to harvest sensitive information from both Chromium-based and Firefox browsers. It extracts stored browser data into text files and is capable of bypassing encrypted password protections.

Among the targeted data are login credentials, credit card information, addresses, phone numbers, and browser cookies. By stealing cookies, attackers may gain access to accounts protected by multi-factor authentication without needing the user's credentials.

Arctic Wolf noted that one potential indicator of compromise is the appearance of the log entry “Certificate not found in request header.” During testing, this message was often followed within seconds by another log entry indicating that a certificate associated with "fortinet-ca2" had been successfully updated.

Security teams are advised to monitor for unusual certificate authentication events and unauthorized modifications to Remote Access Profile settings. Additionally, suspicious administrative actions, newly created accounts, logins originating from unfamiliar locations such as Tor networks or VPS-hosted IP addresses, and unexpected configuration changes should be treated as potential warning signs of compromise.

Arctic Wolf has also released detailed detection and mitigation guidance to help organizations identify and defend against these attacks.

Read more »
Digital Personal Data Protection
Ad Data Privacy Browser privacy risks customer data privacy Cyber Security Data Surveillance Data-Driven Pricing Digital Personal Data Protection

Americans Back Surveillance Pricing Ban Amid Growing Privacy and Consumer Cost Concerns

 

Ahead of schedule, more people in the U.S. resist price tracking based on private information - details like where they shop, what they buy, or how often they spend. Because companies gather these patterns, each customer might face different costs for the same item. Although firms have used such methods before, fresh survey results show resistance gaining strength now. Despite quiet implementation earlier, citizens appear less willing lately to accept unseen adjustments shaped by their own data. 

A recent poll from GBAO Strategies shows public worry over how monitoring-based pricing might affect household expenses, especially food bills. While examining attitudes, it emerged that two-thirds think data-driven pricing models may push grocery costs higher. In contrast, nearly as many see risks in electronic shelf labels that let stores adjust prices instantly. Rather than accept these systems, most people lean toward intervention - about 67 percent back a full prohibition. Such views highlight unease with automated pricing methods shaped by customer tracking. 

Across party affiliations, resistance to tracking-based price adjustments emerged clearly. Most Democrats, those unaffiliated with either major party, and Republicans backed legal restrictions, showing suspicion of algorithmic cost calculations cuts through ideological boundaries. Uneasiness around how stores gather personal details to shape what people pay appears widespread. What worries privacy supporters isn’t just what things cost. The Electronic Frontier Foundation points out how much private detail is needed for tracking-based price models. Systems tap into details like age, where someone lives, their online activity, past buys - sometimes even race or gender. 

Using such data to set prices, some say, puts personal secrecy at risk. Questions also emerge around whether the process plays fair - and if anyone can truly see how it works. Some shoppers might already be experiencing such tactics, according to available data. Back in 2025, a probe by Consumer Reports uncovered disparities in item costs during an Instacart trial using artificial intelligence for pricing. Identical products carried distinct price tags depending on the user viewing them. 

At times, differences climbed up to one-quarter more than others paid. Although mentioned in internal presentations meant for business stakeholders, most buyers did not know adjustments were happening behind the scenes. Most times, people talk about surveillance pricing together with dynamic pricing - both shaped by algorithms in retail settings. Shaped by demand shifts, stock availability, or broader economic climates, prices shift under this model. 

Firms like Amazon and Walmart already apply forms of this method. Even though personal information plays a smaller role here, actions taken by shoppers - their habits, past buys - still guide how prices are set. Though talk grows louder, officials now question if tighter rules must follow. 

Because worries stretch across spending habits alongside personal data risks, how stores track buyers shapes wider talks on fairness and control. While some argue restraint matters more, others see unchecked patterns where price shifts tie too closely to who is watching.
Read more »
Vulnerabilities and Exploits
AI Security Bug Bounty Bug Hunting Security Patch Vulnerabilities and Exploits

AI Era Ignites Bug-Hunting Arms Race as Exploits Accelerate Faster Than Patches

 

The AI era has triggered a new cybersecurity arms race in which attackers and defenders are both using machine learning to find and exploit software vulnerabilities faster than ever. According to security experts, attackers are ramping up AI-powered exploit development, while security teams are deploying AI-driven detection and patching workflows to respond in real time. 

This acceleration is reshaping the economics of software security: the speed of vulnerability discovery no longer matches the slower pace of traditional analysis, triage, and patching, creating a dangerous imbalance between how quickly bugs are found and how quickly they can be fixed. The main issue is the flood of AI-generated bug reports overwhelming existing programs. Curl ended its bug bounty program after being inundated with low-quality submissions generated by AI tools. Linux’s security mailing list has become “almost entirely unmanageable” due to high volumes and duplicate AI bug reports from automated scanners.

Google recently overhauled its Vulnerability Reward Programs for Chrome and Android, lowering payouts for some bug classes while increasing others to focus on the most challenging and impactful vulnerabilities. These changes show that the industry is struggling to sort useful findings from noise while keeping costs sustainable. The same AI tools that help defenders also help attackers, which is the core asymmetry of this arms race. AI systems can now scan entire codebases, detect subtle patterns humans miss, and generate exploit code in days or even hours instead of months. 

Historically, exploiting a vulnerability could take years; now, exploits can emerge within 24 hours after discovery. This compression of the timeline means developers have less time to patch, attackers can automate exploitation, and low-skilled hackers gain advanced capabilities that were once reserved for elite teams. The result is a shrinking window between finding a flaw and it being weaponized. 

Organizations are responding with a mix of economic and structural measures. Some researchers argue that companies cannot simply “patch their way out of this” and must instead build infrastructure that makes many bugs irrelevant in practice. The industry is shifting toward “secure by default” designs, automated scanning in release candidates, and security-first development practices that reduce the number of exploitable weaknesses from the start. Google’s payout adjustments reflect a strategic shift to reward only the most impactful vulnerabilities, while smaller firms may struggle to keep up with rising costs and report volumes. 

The long-term issue is that vulnerability discovery is no longer a human-limited process but a machine-driven one, changing the balance of power in cybersecurity. AI exposes weaknesses faster than communities can respond, and the backlog of bugs now grows faster than it can be resolved. The winners will be those who treat security as continuous defense-in-depth, not as a one-time fix, and who build systems where most bugs are made irrelevant by design rather than by constant patching.
Read more »
Surveillance
AI Cloud Data FROST Internet Privacy Spying Surveillance

FROST Attack: Websites Can Now Spy on Users Via SSDs


Websites have always tried to spy on user activity through browsing histories, mouse clicks and keystrokes, and device fingerprints. Even Yandex and Meta were caught spying on users recently.

Hackers exploiting SSDs

These days, hackers are exploiting SSDs to spy on user activity. Known as Fingerprinting Remotely using OPFS-based SSD Timing or FROST, the technique lets hackers spy on other websites a visitor is viewing and what other applications are open on a user device.

In a research paper, the authors explained the exploit tactic. Hackers exploit a side channel, creating a type of leak that results from data caches or electromagnetic emanations. By computing the physical manifestations, hackers can decode encoded traffic and hack other confidential information.

Sites spying on user activity

The exploit that FROST used was called a contention side channel, which calculates the communication of other processes all using a given resource. By measuring input-output (I/O) time of SSD operations that a visitor uses, the experts found out websites opened in different tabs and browsers; even the applications that were opened on the user device. FROST doesn’t need any communication from the visitor but only requires opening the site hosting the exploit.

The attack tactic

According to the researchers, “Web browsers have evolved from simple document viewers into complex platforms capable of running sophisticated applications.” They also said that “companies like Google, Microsoft, and Adobe have developed full-fledged office suites, photo- and video editors, or even integrated development environments (IDEs) that run entirely within the browser.” 

The impact

The authors also noted that, "while these features enhance the capabilities of web applications and allow completely novel use cases, they also increase the browser’s attack surface, and some have already been shown to introduce new vulnerabilities.”

About the exploit

The attack is different to older contention-side channel attacks on SSDs. FROST runs only in the browser and uses JavaScript that communicated with OPFS (origing private file system), a dedicated storage space that is kept for a particular site to rune codes needed to do a given task. Sites can make one with zero communication required by the user.

“The attacker continuously measures SSD contention by performing random reads from a large OPFS file. SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model,” said the researchers. 

Read more »
Subscribe to: Posts (Atom)

Featured