Holiday Inn Phones Hacked As Part of Phishing Scheme
Hospitality // Texas, United States
Bogus text messages purporting to be sent by U.S. banks directed victims to call hijacked phone lines at Holiday Inn locations and enter their payment card data.
The attack was a mix of scams known as “SMiShing” — phishing bait sent via SMS text message — and voice phishing or “vishing,” where consumers are instructed to call a number that answers with a voice prompt spoofing the bank and instructing the caller to enter his credit card number and expiration date.
Scammers have been blasting SMS messages to hundreds of thousands of mobile phone users in the Houston, Texas area. The messages alert recipients to supposed problems with their bank account, urging them to call a supplied number and follow the automated voice prompts to validate or verify their credit card account information.
Calls to one corrupted Holiday Inn number on Jan. 30 went straight to an automated voice prompt targeting Bank of America customers:
“Thank you for calling Bank of America. A text message has been sent to inform you that your debit card has been limited due to a security issue. To reactivate, please press one now.”
After pressing one, the caller is prompted to enter the last four digits of their Social Security number, and then the full card number and expiration date.
A front desk clerk who answered the line on Feb. 3 said the hotel received over 100 complaints from people who got texts directing them to call the hotel’s main number during the time it was hacked.
The fake texts in Houston were geo-targeted by area code.
Such cons typically start on a Saturday afternoon and run through the weekend when real banks are closed.
“Two separate Holiday Inns getting hijacked in such short time suggests there is a larger issue at work with their telephone system provider,” said Jan Volzke, Numbercop’s chief executive. “That phone line is probably sitting right next to the credit card machine of the Holiday Inn. In a way this is just another retail terminal, and if they can’t secure their phone lines, maybe you shouldn’t be giving them your credit card.”