Malware Is Stealing Hotel Guest Data

Security researchers at Kaspersky  are warning of an information stealing malware campaign that has already impacted hotel guest data in 12 countries worldwide. RevengeHotels is a targeted cybercrime malware campaign against hotels, hostels, hospitality and tourism companies. 

The RevengeHotels operation has been running since 2015 mainly in Brazil, but recently expanded its presence this year, according to Kaspersky. 

The experst at Kaspersky have noted that the campaign has since expanded, targeting more than 20 hotels in Brazil, Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. The aim of the campaign is to capture credit card data from guests stored in hotel systems, as well as credit card data received from popular online travel agencies (OTAs).

Threat actors deploy custom Trojans with the aim of stealing guest credit card data from compromised hotel systems, and financial information from third-party booking websites. One of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies. The emails are well written, with an abundance of detail. The spear-phishing email has a malicious file attached which drops a remote OLE object via template injection to execute macro code. The macro code contains PowerShell commands that download and execute the final payload. 

The RevengeHotels attacks refers to the activities of at least two groups, dubbed “RevengeHotels” and “ProCC,” which target hotel front desks with remote access Trojan (RAT) malware.

“The main attack vector is via email with crafted Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customised versions of RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT and other custom malware such as ProCC in the victim’s machine,” according to Kaspersky. 

“One of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies......The emails are well written, with an abundance of detail. They explain why the company has chosen to book that particular hotel. By checking the sender information, it’s possible to determine whether the company actually exists. However, there is a small difference between the domain used to send the email and the real one.”

Once malware has been installed, the criminals could sell subscription-based access to the infected machine on the dark web. That means fraudsters could get access to guest details, including credit card data copied from online bookings during the charging process, Kaspersky warned.

Over 20 hotels in 12 countries have so far been confirmed with victims in Latin America, Asia and Europe, however, many others may have accessed the malicious link in the phishing emails.

“As users grow wary of how protected their data truly is, cyber-criminals turn to small businesses, which are often not very well protected from cyberattacks and possess a concentration of personal data,” argued Dmitry Bestuzhev, head of Kaspersky’s Global Research and Analysis Team, LatAm.

“Hoteliers and other small businesses dealing with customer data need to be more cautious and apply professional security solutions to avoid data leaks that could potentially not only affect customers, but also damage hotel reputations as well.”

Kaspersky:         InfoSecurity:      GDPR Report:       SecureList:

You Might Also Read:

Staying Secure When Travelling For Business:

Why Spear-Phishing Hacks Are So Successful:


 

« $5m Bounty For Russian Hacker
Cybercrime’s Deadly Impact On Business »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ON-DEMAND WEBINAR: How to build and implement an effective endpoint detection and response strategy

ON-DEMAND WEBINAR: How to build and implement an effective endpoint detection and response strategy

Discover how you can implement endpoint detection and response (EDR) tools into your security strategy.

Kramer Levin

Kramer Levin

Kramer Levin is a full-service law firm with offices in New York and Paris. Practice areas include Cybersecurity, Privacy and Data Protection.

CERT-UG/CC

CERT-UG/CC

CERT-UG/CC is the national Computer Emergency Response Team for Uganda, operating under the National Information Technology Authority (NITA-U)

PartnerRe

PartnerRe

PartnerRe Ltd. provides multi-line reinsurance to insurance companies on a worldwide basis. Services include Cyber Risk.

Ipsidy

Ipsidy

Our identity platform enables mobile users to more easily authenticate their identity to a mobile phone or portable device of their choosing.

Phew

Phew

Phew are New Zealand cyber security specialists with expertise and experience forged in global financial markets, IT&T, management consulting and SME business management.

KOS-CERT

KOS-CERT

KOS-CERT is the national Computer Incident Response Team for Kosovo.

AVORD

AVORD

AVORD is a cloud-based security testing platform that allows clients to manage security testing requirements in a far more productive and efficient way.

Crypto Quantique

Crypto Quantique

Crypto Quantique's ground-breaking technology radically simplifies the process of generating a hardware root of trust in an IoT device.

Bitfury Group

Bitfury Group

Bitfury Group is the largest full-service blockchain technology company in the world.

e-Careers

e-Careers

e-Careers is an edtech institution that provides industry recognised courses and up-skilling solutions to individuals and organisations.

Safe Systems

Safe Systems

Safe Systems provide compliance centric IT services for community banks and credit unions, ensuring that they are kept up to date on current technologies, security risks, and regulatory changes.

Nitrokey

Nitrokey

Nitrokey is the world-leading company in open source security hardware. Nitrokey develops IT security hardware for data encryption, key management and user authentication.

Chartered Institute of Information Security (CIISec)

Chartered Institute of Information Security (CIISec)

CIISec is dedicated to helping individuals and organisations develop capability and competency in cyber security.

Exalens

Exalens

With deep roots in AI-driven cyber-physical security research and intrusion detection, at Exalens, we are enhancing operational resilience for cyber-physical systems at the OT edge.

Core to Cloud

Core to Cloud

Core to Cloud provide consultancy and technical support for the planning and implementation of sustainable security strategies.

Keyrus

Keyrus

Keyrus is a global consultancy that develops data and digital solutions for performance management.