Booking.com refund request? It might be an Agent Tesla malware attack

If they want to bring me in as a consultant, we could maybe even edit this podcast to remove all these references. All they have to do is get in touch. This whole podcast can be cleaned up.

Just give me my fricking hotel room, which I need in London for God's sake.

Smashing Security, episode 346, how hackers are breaching booking.com and the untrustworthy reviews with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 346. My name's Graham Cluley. And I'm Carole Theriault. How's things, Carole? Everything going tickety-boo? What's going on with the new podcast? Big success?

Super success. I think as of yesterday, we had 150 listens, which, you know, turns out if you get more than 121, if I remember correctly from God knows what website, you're in the top 25 downloads. So if you get 121 downloads in a seven-day period, you're in the top 25 podcasts in terms of rankings. In terms of— 25% do you mean? 25%, yeah. Yeah, not 25, good point. Yeah, that's what I was confused by. I'm sorry. There was a big keyword I was missing there, percent. Yeah, top quarter, top quarter.

And the name of the podcast, Carole, which you've forgotten to mention, you should mention every time, is... Audio... No, it's not. Art Musings. It's Art Musings, Carole. Don't include that. I have too many podcasts. I don't even know what I'm doing anymore. I'm gonna be taking another look in at booking.com.

A whole week to come up with that one, and I am gonna ask the question: is it or ain't it AI? All this and much more coming up on this episode of Smashing Security.

Now, chum chum, I want to take you back in time and listeners, you can come back in time as well. Way, way back to two episodes ago, episode 344, in fact, yes, a fortnight ago, I talked about how I, yes, your humble host, Graham Cluley, how I almost got scammed while looking for an aubergine in the supermarket. I wasn't scammed by the supermarket. I wasn't scammed in terms of, you know, I was being offered a melon or a pamplemousse instead of an aubergine.

I really didn't think we would go back to aubergines and pamplemousses again. I thought that was a one-off for the entirety of all the series and episodes we're ever going to have. Unfortunately, I have to come back to this because, of course, the way in which I almost got scammed, if you didn't hear, was via Booking.com. The app. Yeah. This is Antoine, the concierge.

Pretty much. Pretty much, Carole. They said if the link doesn't work, here are banking details in Abu Dhabi or wherever it was.

Oh, for God's sake.

I was booking a hotel in London. Yeah. So, I mean, obviously that one was fairly obvious, right? Right. But when they just had the link in there, it was less obvious. So this has been quite an interesting topic. And the mainstream media have picked up on this story of booking.com scams. I'm not suggesting it since we did the podcast about it, since we did the podcast about it. The Daily Mail, The Mirror, and others, The Mirror.

Yeah, hi, guys. Thanks for listening.

The Mirror, in fact, they actually picked up on the story. They even mentioned my aubergine experience. They mentioned the aubergines in their article, links in the show notes.

Oh, for God's sake.

So if you want to hear about my aubergine expedition and how it was interrupted.

How can I make this interesting? I don't need to. Graham had a really wacky approach. Let's grab that. Love you all.

So the media are all, oh, oh, oh. And obviously there's been some interaction with Booking.com as well, because way back when I contacted Booking.com and said, oi, there's a problem here. And they didn't get back to me. They were a nightmare to get hold of. They weren't getting back to me. And I wasn't terribly impressed. And I was less impressed when I found out other people were victims as well.

No support is really shitty. And not having information about this on your website is kind of shitty. And then they sent out an email to people, but it was all a bit vague. And it was all a bit wishy-washy. I thought it'd be interesting to find out how are the bad guys actually doing this? Because how can they send a message via the Booking.com app from the hotel? In other words, you're saying they would have stolen Antoine's password or they guessed Antoine's password and username and then were able to pose as him and get the information. Absolutely. Right. Absolutely.

So I've done some digging around. I've spoken to some people in the industry who've been looking into this as well. Well, you've got your own deep throats. Mine is called Brian. Brian. I spoke to Brian. Hi, Brian. I think you listen to the podcast sometimes. Hi, Brian. Thanks very much. Brian was able to help me out. What he told me is that the criminals are compromising the hotel staff. The way in which they do it is this. They create a fake account on Booking.com, right? A John Smith or whatever. They then book a room via Booking.com with a particular hotel for a certain date. And of course, even if they book it, they can cancel it later and get their money back.

And then they have a problem and contact directly?

Exactly. Then they send a follow-up message to the hotel saying, oh, you know, I'm really old or I've got this wheelchair. I need—

15 lamps in the room.

Yeah, exactly. Can you make sure that you've cleaned out the kettle properly? Because I've heard stories that people might urinate in the kettles. I want a cup of tea when I get there or whatever their specific requirement. I need 10 shower caps. I can't explain why. Whatever their specific requirement is, they send a message in, maybe via the Booking.com, and maybe they attach a malicious booby-trapped PDF file or they link to a website claiming to be pictures or an archive, here's all my information. I need you to do this.

Yeah. I need the room to look exactly like this.

That's right. This colour Smarties in the, you know, whatever it may be, whatever their rider may be. And of course, the poor concierge or booking agent inside the hotel, Antoine, right, who's dealing with this. He clicks on the attachments and his computer is infected with a keylogger, which then spies upon what's going on on that computer and is able to determine the password and log in or grab the cookie session or whatever it may be to log into Booking.com as that hotel and access everything that Antoine can see. That appears to be the way in which this is happening. Questions. Yes.

Got so many. Did you ask them whether they do staff training on how to avoid scams? I have not asked anyone, either Antoine or Booking.com, that question. Or Brian. But that's — yeah, or Brian, who's my inside man. I haven't asked them whether they do that. Use multi-factor. Yes, exactly. Have multi-factor authentication on the accounts. That would make it harder to log in, wouldn't it? Yeah, like contact any of our sponsors to see if they can improve their security. But yes, what else?

Very good, Carole. Always the professional. Yes, you could do that. Why? Because people from Angola don't tend to go to Paris?

No, no, no, no, no, no, no, no, no, no. The people from Angola or Mongolia. The workers. The employees, yes. I'm talking about Antoine, right, behind the checking in desk. When he logs into Booking.com as a hotel, he should have to do it from the ruddy hotel itself, right? Rather than somewhere else in the world.

I like the IP thing. I think you could totally question that IP in the same way that Google does. It's like, is this you? You're in a different place.

Yeah. Yeah. I mean, I'm not saying that's the only protection which you can do. There's other protections you could do as well. You've mentioned training. You could also prevent the hotel from including links in its messages to its customers, which do not link to the hotel's own domain name.

Yeah, totally could. Yeah, of course, you guys. I hope you're listening. Take notes, people. Take notes.

Yeah, takenotesbooking.com. I'm giving you loads of ideas here. You could do that because obviously then if they try and put together some sort of scammy URL which looks like Antoine's hotel, it won't actually be it. And so the message will be blocked or treated as suspicious or they won't be able to post it. It makes it more difficult. You could also look at the domains which are included in the links posted in these messages because what I found was the scam URLs which were posted in these messages were created typically within about 24 hours of the message being posted. So these are brand new created domain names which are being used in these scams. And you could say any domain name which is less than six months old cannot be included in one of these messages because instantly it's suspicious. Because why would the hotel be linking to some site which never existed before?

Staff could have a dongle, right? With a one-time password? Yeah, you could have hardware keys. You could even simply have a thing which pops up on booking.com inside the chat window saying, be suspicious, Mr. User, Mr. Traveller. They do that for liability. I don't think it's out of the goodness of anyone's heart, personally. I think that's a liability issue. It's like, be careful if you see anything suspicious, and if you fail to do so, we'll be able to blame you. Yeah. I don't like that, personally. But anyway. Brian has told me about one situation. Just give you an idea of the scale of this. Did you and Brian meet down on Dark Alley somewhere and he shared this information? How did that happen? Was it just on X or what? The other thing which has happened is Booking.com CISO, Spencer Mott, has been in touch with me. Spencer Mott with an M. M-O-T-T. You're right. Not in the chat. But mind you, I'm trying to think maybe a user might want to send one. Maybe. Yeah. Well, I don't mind so much that happening. I don't know. That's how it went wrong. Did you say me? Did you say me but you're saying these travelers on the show?

No, no, no, because I haven't... I didn't get... I was... I was... I spotted it.

You didn't know time, sweat, effort. Do you know how many tweets? You know how many my fingers have bled? It's a charity call. That's what I'm doing. I'm not charging for this work I'm doing for them. Just give me my hotel room, which I need in London for God's sake.

So they have said that regarding losses incurred by our travelers, this is assessed on individual circumstances. In other words, they're not going to help you out. This may be resolved by the paying bank as an intermediary or separately between the hotel partner and ourselves. So they're saying contact customer services. Each case will be investigated upon its own merits. So what I will do is I'll also put in a link in the show notes to some research that Akamai did back in September, looking at this phishing campaign as well. So it's been going on for a while. But for now, be very careful on Booking.com. Unless, of course, we get sponsored by Booking.com, in which case this will just be 10 minutes of static that you're listening to rather than an actual moment about Booking.com.

No, no, no, no. I'm here to, you know, keep us straightened out. Keep us? Okay. Keep us good. Keep us good. That's good. That's my job. We're going to talk product recommendation websites. Do you use these? Product review sites? Well, yeah. You know, maybe if you want to buy a new hob or something.

Well, yes. I was looking for a hob with knobs and there weren't very many. Oh, we all know about that. Yeah. By the way, still going really well. Cooked the ratatouille just great. Thank you for asking. I didn't. No, you didn't. But anyway, but no, review, absolutely I do. All the time. You know, I think that's... So what ones

do you use? Can you share that information or is that also proprietary?

No, not proprietary. I go to my search engine of choice. I'm not going to say which one that is. And I typically will write in hobs with knobs reviews or top 10 hobs with knobs.

No, but is there sites that you go to? Like there are companies, right? Not really. Like I go to Which. Oh, yes. In the UK. Which. I do use Which. Yes. Which is very good, I think. I like Which. And there's Consumer Reports in the States that I know of. Popular Mechanics in the States is big. I've heard of them. Good Housekeeping. And there's Wirecutter. I think they're associated with New York Times. Yeah, yeah, yeah. Well, another well-known USA-based product review website is called Reviewed.com. So you can check that out while I'm yakking, if you like. So it's a division of Gannett Satellite Information Network. These are the people that also own the paper USA Today. So they're not tiny. And on the Reviewed.com website, they have a mission statement. It says, help you buy the best stuff and love what you've already got. Okay? Right. And they say in their about page, they write, we believe that tough, objective, hands-on testing is the best way to measure the quality of a product. Like any good scientist, we promote transparency in our process. Not everyone will always agree with our recommendations. We're looking at you, brands of the world, but they'll always know how we arrived at them. And we're always happy to share the info we learned along the way.

So, you know, sounds pretty good. I'm looking at their homepage and they are being upfront with one thing, which I'm pleased to see, which is they're saying, if you make a purchase through some of our links, it may well earn us a commission. May meaning definitely defo, defo. Yeah, yeah. I mean, that's the business model, isn't it? So you also have to be a little bit skeptical of some of these. I know there's a lot of VPN review sites, which turn out to be actually owned by VPN companies, for instance.

It's like, they're all shit, but ours. Yes. Yeah, right. We're the best. Amazing. 20 million stars. Wow. And they also say that recommendations are independently chosen by Reviewed, like the site Reviewed editors. It's hard word to say reviewed editors. It's a stupid name for the site Reviewed, isn't it? Yeah. Sure. We could go down that road, but let's not, let's just stay on point. Just, yeah, but noted. Okay. Now it does sound super cool. You know, they independently chosen, they're not trying to make everyone happy, including you, brands of the world, right? All this.

Sorry, what is brands of the world?

Like they're saying, hey, Hotpoint, or hey, Bosch, or hey, Echo, or Amazon. Oh, so brands of the world isn't a thing. I thought maybe that was a different… Hey, what do I know? They just mean big brands. What I'm reading in that is they just mean, hey, big brands. We're telling the truth no matter what. Okay, okay. Anyway, and they do all kinds of stuff, as you can see, for the website, right, from appliances, kitchen gadgetry, smart home tech, strollers, fitness equipment, and blah, blah, blah, all manner of stuff. Yeah. Now, a week or so ago, a few reviews came out on Reviewed, you know, and nothing unusual there, obviously a daily occurrence, right? Except that these specific reviews were a tiny bit unusual. One, no one at Reviewed recognized the bylines of the piece. So that means who were the writers, right? Who are these people? No one recognized the names of the people that had written the pieces.

You would think they would be more careful about that in case it is someone who's also the head of marketing at, I don't know, Hoover or something, you know, some big company, which maybe has a slight bias as to who may come out top.

Yeah, because apparently many of the editors and staff that work at Review.com didn't even know or even know of these people being in existence, right? So what do they do, right? They're looking at these names and they decide to look for the byline, the author of the articles using the power of the web. So they hit up sites like LinkedIn, surefire place to find the majority of tech reviewer writers, right? Wrong. None of the names seem to have any profile. Now, problem number one, if you were making up byline names, surely you would choose things like John Smith. Paul Baker, right? Like easy names where there's 15,000 profiles for it. Rather than something like Nimity Blathert or something. Anyway, curiouser and curiouser, nothing on LinkedIn, right? The other problem was the actual content of the article. I don't want to use the word rubbish, but it seems that the quality led some of the writers and editors at review.com asked the obvious question, which is, Graham? Was it written by a robot?

Exactly. That is the question, right? And this has ensued a bit of a spat because Gannett, the owners of USA Today and Review.com, says, no, no, no, no, no AI here, Gov. But about 40 people at Reviewed who work there say, oh, yeah, they did. Okay. Try it. Yes. Let's hear it. A few lines. Yes. Let's hear it. Yeah. Let's see if I can tell. Okay. So this is all about, you know, flogging a trampoline. Okay. Yeah, it's not really terribly engaging.

Yeah, so then I went looking around other places, and The Verge had a few, right? So The Verge states, the writing was stilted, repetitive, and at times nonsensical. So here are a few quotes they saw. "Before buying a product, you need to first consider the fit, light settings, and additional features that each option offers." And that was for the best waist lamp of 2023. A waist lamp? A waist lamp, around your waist. What are you trying to... What are you trying to... I guess I don't know. What are you trying to light up? Is it a headlamp? Is it... Headlamp. Yeah, but maybe you're looking elsewhere. Maybe you're sleepy. You just, I don't know.

Crazy. Hang on. I'm Googling waist lamps right now. I'm interested. I want to know. Oh. Runners. Runners have waist lamps, apparently. Waist lights for runners. There you go. I don't know if that's what they're talking. Well, that makes a little bit of sense if you're running around in the dark. I thought it'd be something pervy. You might run over a badger in England. That'd be scary. I thought it meant some sort of angle poise lamp sellotaped to your belly button.

There's another one that says, "Before you purchase Swedish dishcloths, there are a few questions you may want to ask yourself."

Why is the first question. Why do you want a Swedish dishcloth? Is it for wiping Swedish dishes? What? Why would you? Who cares? Just get a local one. Don't get one flown in from Stockholm.

These are the kind of sentences that may have made some of the editors and writers at Reviewed.com think, maybe something is amiss. So the union that represented Reviewed workers shared screenshots of the shopping articles that the staff had stumbled upon and then thought, these seems a bit weird. And then, of course, asked the obvious question, were these written by AI? Right. But no, no, no, says Gannett. They call the method of AI detection unfounded. It was actually a third-party company called Advan Commerce that had provided the freelancers, and these were human freelancers that wrote the reviews, not AI.

This is what I would have expected, is that Reviewed can say, no, no, no, we haven't hired any AI. We haven't used any AI to do this. But they've got some other third-party companies that, oh, we can write content for your website. and then reviewed doesn't do with due diligence. Well, are you actually going to use human journalists to do this?

Well, Gannett actually did say maybe the quality wasn't great and maybe they didn't use the accurate affiliate disclaimers and they didn't meet our editorial standards. But this wasn't really washing with staff. So writers and editors from Reviewed are calling for all the articles in question to be retracted and for an apology from the company for using a third party for work that they could have done because their staff. Apparently, this request doesn't look like it's going to be honored, according to some insiders. And the whole thing gets even a bit more complicated than that when you hear this. So this wasn't the company's first negative brush with AI. So in August this year, the company ran a botched experiment using AI to generate sports articles, publishing tons of stories repeating these awkward phrases such as close encounters of the athletic kind. Close encounters. That's the one with the great big pile of mashed potato, isn't it? And at the time, Gannett paused the use of the tool and said it would re-evaluate the tools and the processes. But a few weeks before this whole debacle of whether or not AI was used to write the articles, unionized staff at Reviewed walked off the job to secure dates for bargaining sessions with Gannett to get more money and get a better package.

I'm not revealing my search engine of choice. What do you want me to, of course, what do you want me to search for that? Oh, sorry. Don't Google. Search for AI-generated product review services. So basically, imagine you're a reviewer. Yeah, no, it's a great idea.

There's tons of services. Oh yes. Oh, yeah. Like, there's tons of pages. Oh, my goodness.

Just go to them. So you can't trust your reviews, Graham, so maybe your hob is a piece of poop. Just saying. Panoptica provides users with deep visibility, prioritized risk assessment, and actionable remediation from development to runtime. This comprehensive cloud-native application protection platform, or CNAP, provides an essential holistic view to secure the entire cloud application stack seamlessly.

If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is, you don't have to imagine this world. You can just start using Kolide. Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log in to your cloud apps. Visit kolide.com slash smashing to watch a demo and see how it works. That's K-O-L-I-D-E dot com slash smashing.

And welcome back. And you join us by our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week is the part of the show where everyone chooses something. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, my pick of the week this week is not security related. My pick of the week this week is a couple of books, a book which comes in two volumes, one covering the 1970s and the other one covering the 1980s. I've rarely seen you read a book, Cluley. Have you read this? Have you read both books? Not every word, no. And the reason is that in total, there are over 1,200 pages, and it's in a very dense, tiny print. Is there any pictures that can give you some? There are some pictures, but everything's really quite small. Is it a comic book?

No, no. There's a lot of words. I think this will be of interest to a lot of our listeners. Okay, I'll shut up. This is a couple of books called Scarred for Life, Growing Up in the Dark Side of the Decade. There's one for the 1970s, one for the 1980s. It is a couple of books by chaps called Stephen Brotherstone and Dave Lawrence. And it's an affectionate look at the darker side of pop culture. So in the 70s and 80s, Carole, particularly the 70s, when I was growing up, there were things like public information films, which told you not to climb up electricity pylons or to play in gravel pits.

I am the spirit of dark and lonely water, ready to trap the unwary, the show off, the fool. And this is the kind of place you'd expect to find me. But no one expects to find me here. It seems too ordinary. But that pool is deep. The boy is showing off. The bank is slippery.

Yeah, I saw them too, even in the late 70s and 80s, yes.

Terrifying. And there were scary kids' TV shows doing things they would never do now. There were bleak adult dramas like Threads. Have you heard of Threads? Which was about what would happen if there were a nuclear war in 1984 and you lived in Sheffield. Probably the bleakest thing that's ever been on BBC television.

You're bringing back, we saw this is what happened in the Holocaust. That's what I remember seeing as a child. And there was huge focuses on the oven, everything. It was just...

Yeah. Well, in the early 80s in particular, there will be people who remember being taught at school to go and hide under your desk or paint yourself with white paint or something to protect yourself. Paint yourself with white paint? Yes, yes, to reflect. People were building bunkers. Anyway, there were horror films, there were violent comics, there was dystopian sci-fi, there were horror-themed toys and sweets. These books are all about these things. So I love vintage television. So I love things like I, Claudius and Threads and Day of the Triffids and The Tomorrow People and classic Doctor Who, all of this and much more is included in these books in most minute, nerdy, microscopic detail. And it takes me to my warm comfort place, my dystopian past, perhaps. And I rather enjoy these, dipping into them. It's a good book for dipping into both of these books. If you love to be scared again or are nostalgic for the misery of your childhood, then Scarred for Life are a good couple of books. You can't get them on Amazon, as far as I know. I bought mine on Lulu. They were sort of print to order. So you order them and then they get printed. It costs about 20 quid each, but they're great. And I think there's a Scarred for Life podcast as well.

That might be a place to start before you decide. If you want to have a taster, if you want to have a taster, they have a Twitter account.

I'll link to the Twitter account where they regularly tweet out things which are scary from the past, which may have frightened you when you were nine years old. And that is my pick of the week.

It sounds fascinating. Probably not for me, but I can totally see people would love that kind of stuff.

There's certainly a British orientation to these.

I think it's the minutiae, someone going into lots of detail, that seems like a lot of time to read. And I, yeah, I don't know. I'd prefer to give that to fiction literature.

Okay. All right. Okay. Fair enough. Yeah. Carole, what's your pick of the week?

Well, my pick of the week is a podcast. It's a fairly new podcast, a fun podcast, starring Amy Poehler of Parks and Recreation fame.

I've never seen Parks and Recreation.

Oh, you don't know Amy Poehler? Very funny. She's the one who hangs out with Tina Fey.

Oh, I like Tina Fey. I like Tina Fey.

So she's as funny and as good as Tina Fey. Yeah. So the podcast is called Say More with Dr. Sheila. So doctor, it's very hard to say, Dr. Sheila. It doesn't seem that hard to say, Dr. Sheila. No, no, no, no, no, no. It's not Dr. Sheila. It's Dr., question mark. Dr. Sheila. And that's very important. Important question mark, because you need to add it in for liability reasons, she says on the show. So the whole show is she's a quirky couples therapist and she talks to guests like Tina Fey, right, and their partners about love and life troubles. And then constantly corrects them when they declare her docterness as opposed to question her docterness.

Oh no, I like that, I like the idea of that. It's very cute. I've come across some fake doctors in my time, including Dr. Gillian McKeith. She's no longer. Dr. Laura? Well, she probably was real. I don't know. But yeah, there are some doctors out there who aren't real doctors.

Yes, foctors. Anyway, her chosen methodology in each episode or class or whatever episode includes dubious methods at best, right? So for instance, in one episode, you have Delia, who was worried that Judy is too codependent. Judy is worried Delia is going to ghost her. Dr. Sheila turns to Harry Potter movies for therapy inspiration. Anyway, it's insane and it's all improv. So they have to react off each other. And then at the end, you kind of have this real moment when the credits are going, when they're kind of talking about how they didn't know how to handle certain things. See what you think, I think it's really fun. So Say More with Dr. Sheila is my pick of the week.

Brilliant. Well, that just about wraps up the show for this week. You can follow us on Twitter at Smash Insecurity, no G, Twitter on NASDAQ. We also have a Mastodon account. And don't forget to ensure you never miss another episode. Follow Smash Insecurity in your favourite podcast app, such as Spotify, Overcast and Apple Podcasts.

And massive thank you to our episode sponsors, Panoptica, Vanta and Collide, and to our wonderful Patreon community. Thanks to them all. This show is free. For episode show notes, sponsorship information, and access to the past 345 episodes, go to smashingsecurity.com.

Until next time, cheerio.

Bye-bye, bye-bye. Or maybe we need to use some of these services to write reviews for Smashing Security.

Well, we could do with some decent reviews on Apple Podcasts. Our last one called us a couple of bullies.

Brian, Spencer, come on, come on guys. He said we were mean to Robin Williams. Hey, I was not mean to Robin Williams. Whoever wrote that, can you just give it to Graham Cluley personally and not to me? Because he was my hero. Eat everything in the ashtray, eat everything in the ashtray. See, Graham won't know what that means, but us Robin Williams fans know, right? Red, white and blue, how patriotic. I could recite his whole stitch. I don't know what you're doing.