Thursday 15 October 11:30 - 12:00, Red room
Martin Chlumecký & Luis Corrons (Gen Digital)
Travel scams are evolving beyond generic phishing into something operationally far more mature. In this talk, we present what we call the Reservation Hijack attack chain, a multi-stage fraud workflow in which attackers first target hospitality businesses, then pivot to real guests using stolen booking context, compromised partner access, and trusted communication channels.
Our investigation began with guest-facing payment verification messages tied to real reservations, often containing accurate booking details, stay dates, hotel names, and exact amounts due. As we dug deeper, we found that these lures were only the visible end of a broader intrusion and fraud workflow. In multiple cases, the attack began with phishing aimed at hotel staff or accommodation partners. Once credentials were stolen, attackers abused legitimate hospitality platforms and booking-related workflows to access reservation data, contact upcoming travellers, and in some cases host parts of the phishing flow on trusted infrastructure.
We will walk through this attack chain end to end. That includes real examples of partner-targeted phishing, compromise of hotel-side accounts, abuse of platforms such as Booking.com and Cloudbeds, and guest-facing fraud delivered through channels including platform messaging, SMS, WhatsApp and email.
We will also go beyond the visible fraud workflow itself. As part of this research, we traced infrastructure, artifacts, and behavioural overlaps to better understand the actors and operations behind these campaigns. We will share what we found, including the signals that suggest coordination across multiple stages of the activity, the limits of current attribution confidence, and the investigative pivots that helped connect hotel-side compromise to downstream guest fraud.
The talk will focus on the mechanics, infrastructure, and defender implications of this scam family, including why traditional phishing indicators become less reliable when fraud arrives wrapped in authentic operational context. The goal is to give researchers, defenders, and platform operators a practical view of how these attacks work, how they scale, and where meaningful detection and disruption opportunities still exist.
 |
Martin Chlumecký Martin Chlumecký is a threat analysis engineer in Gen Threat Labs (Threat Intelligence), where he focuses on scams, web‑based threats, email abuse, and the telemetry pipelines that enable large‑scale detection. His recent work concentrates on analysing and disrupting large‑scale scam and abuse ecosystems, with a particular emphasis on web, email, and messaging threats.
|
 |
Luis Corrons Luis Corrons is a cybersecurity expert with more than 25 years of experience analysing threats and helping people protect their digital lives. He works at Gen, the global company behind Norton, Avast, AVG, and Avira, where he serves as Security Evangelist and is one of the company's main spokespersons on threat-related topics. Throughout his career, Luis has specialized in tracking malware and scam trends, building awareness of emerging threats, and explaining complex issues in a way that connects with both technical and non-technical audiences. He has been an active voice in the cybersecurity community since 1999, regularly speaking at international conferences such as Virus Bulletin, CARO Workshop, AVAR, APWG, and more. Beyond his role at Gen, Luis serves as Chairman of the Board at the Anti-Malware Testing Standards Organization (AMTSO) and sits on the board of MUTE, contributing to industry-wide collaboration on testing, standards, and transparency. He is a frequent media contributor on TV, radio, and major news outlets, where he helps raise public awareness about online security and cybercrime. |
Back to VB2026 conference page
Register your interest for VB2026