Malware Is Stealing Hotel Guest Data

Uploaded on 2019-12-13 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Transport & Travel

Security researchers at Kaspersky  are warning of an information stealing malware campaign that has already impacted hotel guest data in 12 countries worldwide. RevengeHotels is a targeted cybercrime malware campaign against hotels, hostels, hospitality and tourism companies. 

The RevengeHotels operation has been running since 2015 mainly in Brazil, but recently expanded its presence this year, according to Kaspersky. 

The experst at Kaspersky have noted that the campaign has since expanded, targeting more than 20 hotels in Brazil, Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. The aim of the campaign is to capture credit card data from guests stored in hotel systems, as well as credit card data received from popular online travel agencies (OTAs).

Threat actors deploy custom Trojans with the aim of stealing guest credit card data from compromised hotel systems, and financial information from third-party booking websites. One of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies. The emails are well written, with an abundance of detail. The spear-phishing email has a malicious file attached which drops a remote OLE object via template injection to execute macro code. The macro code contains PowerShell commands that download and execute the final payload. 

The RevengeHotels attacks refers to the activities of at least two groups, dubbed “RevengeHotels” and “ProCC,” which target hotel front desks with remote access Trojan (RAT) malware.

“The main attack vector is via email with crafted Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customised versions of RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT and other custom malware such as ProCC in the victim’s machine,” according to Kaspersky. 

“One of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies......The emails are well written, with an abundance of detail. They explain why the company has chosen to book that particular hotel. By checking the sender information, it’s possible to determine whether the company actually exists. However, there is a small difference between the domain used to send the email and the real one.”

Once malware has been installed, the criminals could sell subscription-based access to the infected machine on the dark web. That means fraudsters could get access to guest details, including credit card data copied from online bookings during the charging process, Kaspersky warned.

Over 20 hotels in 12 countries have so far been confirmed with victims in Latin America, Asia and Europe, however, many others may have accessed the malicious link in the phishing emails.

“As users grow wary of how protected their data truly is, cyber-criminals turn to small businesses, which are often not very well protected from cyberattacks and possess a concentration of personal data,” argued Dmitry Bestuzhev, head of Kaspersky’s Global Research and Analysis Team, LatAm.

“Hoteliers and other small businesses dealing with customer data need to be more cautious and apply professional security solutions to avoid data leaks that could potentially not only affect customers, but also damage hotel reputations as well.”

Kaspersky:         InfoSecurity:      GDPR Report:       SecureList:

You Might Also Read:

Staying Secure When Travelling For Business:

Why Spear-Phishing Hacks Are So Successful:


 

« $5m Bounty For Russian Hacker
Cybercrime’s Deadly Impact On Business »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

WEBINAR: How To Build And Implement An Effective Endpoint Detection And Response Strategy

WEBINAR: How To Build And Implement An Effective Endpoint Detection And Response Strategy

Join this webinar to learn how the cloud threat landscape is evolving and organizations are deploying more advanced and capable security controls at scale.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

UK Cyber Week Expo & Conference

UK Cyber Week Expo & Conference

Award-winning event organiser ROAR B2B announces the launch of UK Cyber Week and its inaugural event on 4 and 5 April 2023 at the Business Design Centre, London.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

RIVA Solutions

RIVA Solutions

RIVA provides innovative best practices in IT and management consulting, program support services and emerging technologies.

ContentKeeper

ContentKeeper

ContentKeeper provides Web Threat Protection solutions to secure today’s Web 2.0 and mobile centric business environments.

US Cyber Command (USCYBERCOM)

US Cyber Command (USCYBERCOM)

USCYBERCOM conducts activities to ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.

BPC Banking Technologies

BPC Banking Technologies

BPC’s advanced fraud prevention solution helps card issuers and acquirers combat the growing threat by monitoring 100% of transactions, online, in real-time across all channels.

Inogesis

Inogesis

CyberStream

CyberStream

CyberStream, a division of the TechStream Group, is an information & cybersecurity talent acquisition solution provider.

MISP Project

MISP Project

The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators.

Ensighten

Ensighten

Ensighten is a leader in Website Security & Privacy Compliance. Protect your website from malicious attacks, monitor & detect vulnerabilities, protect consumer data.

AlertFusion

AlertFusion

AlertFusion is a platform that makes security operations more effective. It complements existing tools and technologies, unifies operations, enhances process maturity and drives efficiencies.

Privacyware

Privacyware

Privacyware's ThreatSentry combines a state-of-the-art Web Application Firewall and port-level firewall with advanced behavioral filtering to block unwanted IIS traffic and web application threats.

Evalian

Evalian

Evalian is a data protection services provider. Working with organisations of all sizes, we specialise in Data Protection, GDPR, ISO Certification & Information Security.

CyberEdBoard

CyberEdBoard

CyberEdBoard is a private, peer-to-peer education and networking community focused on cybersecurity, technology, business processes and risk management.

CyberGuard Technologies

CyberGuard Technologies

CyberGuard Technologies provides a suite of fully managed end-to-end security services from its 24/7 UK security operations centre.

Apono

Apono

Apono enables DevOps and security teams to manage access to sensitive cloud assets and data repositories in a frictionless and compliant way.

BalkanID

BalkanID

BalkanID is an Identity governance solution that leverages data science to provide visibility into your SaaS & public cloud entitlement sprawl.

Softwerx

Softwerx

Softwerx is the UK’s leading Microsoft cloud security practice. We’ve been helping forward-thinking companies better secure their businesses for nearly twenty years.