Malware Is Stealing Hotel Guest Data

Uploaded on 2019-12-13 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Transport & Travel

Security researchers at Kaspersky  are warning of an information stealing malware campaign that has already impacted hotel guest data in 12 countries worldwide. RevengeHotels is a targeted cybercrime malware campaign against hotels, hostels, hospitality and tourism companies. 

The RevengeHotels operation has been running since 2015 mainly in Brazil, but recently expanded its presence this year, according to Kaspersky. 

The experst at Kaspersky have noted that the campaign has since expanded, targeting more than 20 hotels in Brazil, Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. The aim of the campaign is to capture credit card data from guests stored in hotel systems, as well as credit card data received from popular online travel agencies (OTAs).

Threat actors deploy custom Trojans with the aim of stealing guest credit card data from compromised hotel systems, and financial information from third-party booking websites. One of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies. The emails are well written, with an abundance of detail. The spear-phishing email has a malicious file attached which drops a remote OLE object via template injection to execute macro code. The macro code contains PowerShell commands that download and execute the final payload. 

The RevengeHotels attacks refers to the activities of at least two groups, dubbed “RevengeHotels” and “ProCC,” which target hotel front desks with remote access Trojan (RAT) malware.

“The main attack vector is via email with crafted Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customised versions of RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT and other custom malware such as ProCC in the victim’s machine,” according to Kaspersky. 

“One of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies......The emails are well written, with an abundance of detail. They explain why the company has chosen to book that particular hotel. By checking the sender information, it’s possible to determine whether the company actually exists. However, there is a small difference between the domain used to send the email and the real one.”

Once malware has been installed, the criminals could sell subscription-based access to the infected machine on the dark web. That means fraudsters could get access to guest details, including credit card data copied from online bookings during the charging process, Kaspersky warned.

Over 20 hotels in 12 countries have so far been confirmed with victims in Latin America, Asia and Europe, however, many others may have accessed the malicious link in the phishing emails.

“As users grow wary of how protected their data truly is, cyber-criminals turn to small businesses, which are often not very well protected from cyberattacks and possess a concentration of personal data,” argued Dmitry Bestuzhev, head of Kaspersky’s Global Research and Analysis Team, LatAm.

“Hoteliers and other small businesses dealing with customer data need to be more cautious and apply professional security solutions to avoid data leaks that could potentially not only affect customers, but also damage hotel reputations as well.”

Kaspersky:         InfoSecurity:      GDPR Report:       SecureList:

You Might Also Read:

Staying Secure When Travelling For Business:

Why Spear-Phishing Hacks Are So Successful:


 

« $5m Bounty For Russian Hacker
Cybercrime’s Deadly Impact On Business »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Qualitest Group

Qualitest Group

Qualitest is the world’s largest pure play Quality Assurance and software testing company.

7Safe

7Safe

7Safe has been delivering hands-on digital security training courses since 2001 and offer e a portfolio of university and industry-accredited courses.

Ahope

Ahope

Ahope is a mobile security solution provider in Korea with a long history of security solution development.

GuardiCore

GuardiCore

GuardiCore is an innovator in internal data center security and breach detection and is transforming security inside data centers and clouds.

Quaynote Communications

Quaynote Communications

Quaynote Communications is a specialist conference and communications company focused primarily on the maritime, yachting, aviation and security industries.

Privasec

Privasec

Privasec is an independent security, governance, risk, and compliance consulting firm.

Infotecs

Infotecs

Infotecs ViPNet Security and Threat Intelligence Platform provides complete multi-layer security in one cost-effective solution that supports true endpoint-to-endpoint security.

Ponemon Institute

Ponemon Institute

Ponemon Institute conducts independent research on data protection and emerging information technologies.

AlAnsari Technical Solutions (ATS)

AlAnsari Technical Solutions (ATS)

ATS is a Kuwait based company specialised in delivering hardware/software, Virtualisation, IP Telephony / Unified Communication, Networking and professional IT services and solutions.

FirstPoint Mobile Guard

FirstPoint Mobile Guard

FirstPoint Mobile Guard has developed the market’s most advanced solution for securing cellular devices, including mobile phones and IoT products, by blocking malicious data leakage.

Secure Recruitment

Secure Recruitment

Secure Recruitment is a specialist Executive Search business that focuses its efforts on attracting specific exceptional talent in Cyber Security.

EOL IT Services

EOL IT Services

EOL IT Services is the UK’s most accredited provider of IT Asset Disposal (ITAD), Lifecycle Services and Data Destruction.

The Security Company (TSC)

The Security Company (TSC)

The Security Company is a leading provider of creative employee security awareness programmes.

ISTC Foundation

ISTC Foundation

ISTC Foundation is one of the leading innovation centers in Armenia, founded by joint initiative of IBM, USAID, Armenian Government and Enterprise Incubator Foundation.

Keysight Technologies

Keysight Technologies

Keysight is dedicated to providing tomorrow’s test technologies today, enabling our customers to connect and secure the world with their innovations.

Traced

Traced

TRACED is changing the detection paradigm. Empowering defenders to go on the offense to engage cyber attackers before they compromise your organization.

Persistent Systems

Persistent Systems

Persistent Systems are a trusted Digital Engineering and Enterprise Modernization partner, combining deep technical expertise and industry experience to help our clients.