Hotel front desks are now a hotbed for hackers
It seems that any possible way cybercriminals can exploit the hospitality industry, they will.
Hotels, restaurant chains, and related tourism services have been subject to a range of techniques when it comes to cybercrime; the compromise of Point-of-Sale (PoS) terminals to harvest guest data, phishing emails sent to staff which are designed to give attackers access to internal systems, and Man-in-The-Middle (MiTM) attacks through hotel public W-Fi hotspots being only some of the potential attack vectors.
The data that the hospitality industry accepts, processes, and holds is valuable. Guest Personally Identifiable Information (PII) and financial information can be used in spear-phishing schemes, sold on in bulk, or potentially used to create clone cards when strong encryption is not in place to protect payment data.
To add to a growing list of threat actors that specialize in attacks against hotels and hospitality organizations,such as DarkHotel, on Thursday, Kaspersky published research on a targeted campaign called RevengeHotels.
First spotted in 2015 but appearing to be most active this year, RevengeHotels has struck at least 20 hotels in quick succession. The threat actors focus on hotels, hostels, and hospitality & tourism companies.
While the majority of the RevengeHotels campaign takes place in Brazil, infections have also been detected in Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand, and Turkey.
The threat group deploys a range of custom Trojans in order to steal guest credit card data from infected hotel systems as well as financial information sent from third-party booking websites such as Booking.com.
The attack chain begins with a phishing email sent to a hospitality organization. Professionally-written and making use of domain typo-squatting to appear legitimate, the researchers say the messages are detailed and generally impersonate real companies.
These messages contain malicious Word, Excel or PDF documents, some of which will exploit CVE-2017-0199 , a Microsoft Office RCE vulnerability patched in 2017.
If a system is vulnerable, VBS or PowerShell scripts are used to exploit the bug, leading to the deployment of RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT, ProCC, and other custom malware.
The Trojans are able to burrow into infected computers, creating tunnels back to the operator's command-and-control (C2) server and maintaining persistence. An additional module, dubbed ScreenBooking and written by the group, is used to capture payment card information.
"In the initial versions, back in 2016, the downloaded files from RevengeHotels campaigns were divided into two modules: a backdoor and a module to capture screenshots," the researchers say. "Recently we noticed that these modules had been merged into a single backdoor module able to collect data from clipboard and capture screenshots."
While RevengeHotels is the main perpetrator of these campaigns, Kaspersky also spotted another group, ProCC, that is targeting the same sector. ProCC uses a more sophisticated backdoor that is also able to capture information from PC clipboards and printer spoolers.
Discussions of the groups taking place in underground forums reveal that front desk machines, and not just online services or PoS systems, are also being targeted through the campaign.
In these scenarios, hotel management systems are compromised to capture credentials and payment card data. Some cybercriminals are also flogging remote access to front desks to generate additional income as a service.
'If you want to be a savvy and safe traveler, it's highly recommended to use a virtual payment card for reservations made via OTAs, as these cards normally expire after one charge," Kaspersky says. "While paying for your reservation or checking out at a hotel, it's a good idea to use a virtual wallet such as Apple Pay, [or] Google Pay. If this is not possible, use a secondary or less important credit card, as you never know if the system at the hotel is clean, even if the rooms are."
- Hacker Mods Old Calculator to Access the Internet, CASIO Files DMCA Complaint
- 22 岁时阻止Wannary 勒索病毒扩散的黑客“英雄” 因制造恶意程序被 FBI 逮捕，现在他想做个好人
- Python 实现黑客帝国代码雨效果
- Hackers infect multiple game developers with advanced malware
- 卡巴斯基实验室：2020Q1 IT威胁趋势报告
- Why is Eugene Kaspersky funding a travel accelerator during COVID-19?
- 卡巴斯基：2020Q1 DDoS攻击趋势报告
- 新的APT组织Wild Pressure正在瞄准中东的工业部门
- 卡巴斯基实验室：2019Q4 DDoS攻击趋势报告
- The Sneaky Simple Malware That Hits Millions of Macs
- Hotel front desks are now a hotbed for hackers
- Antivirus giants form new coalition to put an end to stalkerware