Kaspersky’s research of the RevengeHotels campaign aimed at the hospitality sector, has confirmed over 20 hotels in Latin America, Europe and Asia have fallen victim to targeted malware attacks. Even more hotels are potentially affected across the globe. Travelers’ credit card data which is stored in a hotel administration system, including those received from online travel agencies (OTAs), is at risk of being stolen and sold to criminals worldwide.
RevengeHotels is a campaign that includes different groups using traditional Remote Access Trojans (RATs) to infect businesses in the hospitality sector. The campaign has been active since 2015 but has gone on to increase its presence in 2019. At least two groups, RevengeHotels and ProCC, were identified to be part of the campaign, however more cybercriminal groups are potentially involved.
The main attack vector in this campaign is emails with crafted malicious Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customized versions of various RATs and other custom malware, such as ProCC, on the victim’s machine that could later execute commands and set up remote access to the infected systems.
Each spear-phishing email was crafted with special attention to detail and usually impersonating real people from legitimate organizations making a fake booking request for a large group of people. It is worth noting that even careful users could be tricked to open and download attachments from such emails as they include an abundance of details (for instance, copies of legal documents and reasons for booking at the hotel) and looked convincing. The only detail that would reveal the attacker would be a typosquatting domain of the organization.
Once infected, the computer could be accessed remotely not just by the cybercriminal group itself — evidence collected by Kaspersky researchers shows that remote access to hospitality desks and the data they contain is sold on criminal forums on a subscription basis. Malware collected data from hospitality desk clipboards, printer spoolers and captured screenshots (this function was triggered using specific words in English or Portuguese). Because hotel personnel often copied clients’ credit card data from OTA’s in order to charge them, that data could also be compromised.
Kaspersky telemetry confirmed targets in Argentina, Bolivia, Brazil, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. However, based on data extracted from Bit.ly, a popular link shortening service used by the attackers to spread malicious links, Kaspersky researchers assume that users from many other countries have at least accessed the malicious link – suggesting that the number of countries with potential victims could be higher.
“As users grow wary of how protected their data truly is, cybercriminals turn to small businesses, which are often not very well protected from cyberattacks and possess a concentration of personal data. Hoteliers and other small businesses dealing with customer data need to be more cautious and apply professional security solutions to avoid data leaks that could potentially not only affect customers, but also damage hotel reputations as well,” comments Dmitry Bestuzhev, Head of Global Research and Analysis Team, LatAm.
“Thailand is a popular travel destination, which definitely influenced the choices attackers made in selecting their targets. Since the purpose of the campaign is to steal as much credit card data as possible, attackers usually select the most popular hotels that regularly have customers. If they attack a luxurious hotel, then the chances of stealing a high-profile credit card data are be much higher. We have confirmed one target in Thailand as we have found an email tailored by the attackers and sent to the hotel. However, we cannot definitely say whether this target was a victim to the RevengeHotels campaign. We neither can confirm nor deny if there are more targets in Thailand besides that one, but it’s reasonable to believe this is the case,” Bestuzhev added.
To stay safe, travelers are recommended to:
- Use a virtual payment card for reservations made via OTAs, as these cards normally expire after a single charge
- When paying for a reservation or checking out at hotel desks, use a virtual wallet, such as Apple Pay or Google Pay, or a secondary credit card with a limited amount of debit available
Hotel owners and management are also advised to follow these steps to secure customer data:
- Conduct risk assessments of the existing network and implement regulations regarding how customers data is handled
- Use a reliable security solution with web protection and application control functionality, such as Kaspersky Endpoint Security for Business. Web protection helps to block access to phishing and malicious websites while application control (in white list mode) allows to make sure that no application except the white listed ones can run on hospitality desk computers.
- Introduce staff security awareness training to teach employees how to spot spear-phishing attempts and show the importance of remaining vigilant when working with incoming emails.
Read the full report, RevengeHotels: cybercrime targeting hotel desks worldwide, on Securelist.