Malware Is Stealing Hotel Guest Data

Uploaded on 2019-12-13 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Transport & Travel

Security researchers at Kaspersky  are warning of an information stealing malware campaign that has already impacted hotel guest data in 12 countries worldwide. RevengeHotels is a targeted cybercrime malware campaign against hotels, hostels, hospitality and tourism companies. 

The RevengeHotels operation has been running since 2015 mainly in Brazil, but recently expanded its presence this year, according to Kaspersky. 

The experst at Kaspersky have noted that the campaign has since expanded, targeting more than 20 hotels in Brazil, Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. The aim of the campaign is to capture credit card data from guests stored in hotel systems, as well as credit card data received from popular online travel agencies (OTAs).

Threat actors deploy custom Trojans with the aim of stealing guest credit card data from compromised hotel systems, and financial information from third-party booking websites. One of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies. The emails are well written, with an abundance of detail. The spear-phishing email has a malicious file attached which drops a remote OLE object via template injection to execute macro code. The macro code contains PowerShell commands that download and execute the final payload. 

The RevengeHotels attacks refers to the activities of at least two groups, dubbed “RevengeHotels” and “ProCC,” which target hotel front desks with remote access Trojan (RAT) malware.

“The main attack vector is via email with crafted Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customised versions of RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT and other custom malware such as ProCC in the victim’s machine,” according to Kaspersky. 

“One of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies......The emails are well written, with an abundance of detail. They explain why the company has chosen to book that particular hotel. By checking the sender information, it’s possible to determine whether the company actually exists. However, there is a small difference between the domain used to send the email and the real one.”

Once malware has been installed, the criminals could sell subscription-based access to the infected machine on the dark web. That means fraudsters could get access to guest details, including credit card data copied from online bookings during the charging process, Kaspersky warned.

Over 20 hotels in 12 countries have so far been confirmed with victims in Latin America, Asia and Europe, however, many others may have accessed the malicious link in the phishing emails.

“As users grow wary of how protected their data truly is, cyber-criminals turn to small businesses, which are often not very well protected from cyberattacks and possess a concentration of personal data,” argued Dmitry Bestuzhev, head of Kaspersky’s Global Research and Analysis Team, LatAm.

“Hoteliers and other small businesses dealing with customer data need to be more cautious and apply professional security solutions to avoid data leaks that could potentially not only affect customers, but also damage hotel reputations as well.”

Kaspersky:         InfoSecurity:      GDPR Report:       SecureList:

You Might Also Read:

Staying Secure When Travelling For Business:

Why Spear-Phishing Hacks Are So Successful:


 

« $5m Bounty For Russian Hacker
Cybercrime’s Deadly Impact On Business »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Waratek

Waratek

Waratek is a pioneer in the next generation of application security solutions known as Runtime Application Self-Protection or RASP.

Sqreen

Sqreen

Sqreen is a web application security monitoring and protection solution helping companies protect their apps and users from attacks.

Global Cyber Alliance (GCA)

Global Cyber Alliance (GCA)

Global Cyber Alliance is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world.

Symantec

Symantec

Symantec delivers data-centric hybrid security for the largest, most complex organizations in the world – on devices, in private data centers, and in the cloud.

Technology Ireland ICT Skillnet

Technology Ireland ICT Skillnet

Technology Ireland ICT Skillnet is a network of companies who collaborate to address skills needs within the technology sector.

ITsMine

ITsMine

ITsMine’s Beyond DLP solution is a leading Data Loss Prevention solution used by organizations to protect against internal and external threats automatically.

Quantinuum

Quantinuum

Quantinuum is the combination of Cambridge Quantum with Honeywell Quantum Solutions, structured to drive the future of quantum computing.

StateRAMP

StateRAMP

StateRAMP reduces risk from unsecure cloud solutions and protects data by providing State and local governments a standardized approach for verifying and monitoring security postures.

Trilateral Research

Trilateral Research

Trilateral Research provide regulatory and policy advice; develop new data-driven technologies and contribute to the latest standards in safeguarding privacy, ethics and human rights.

Jisc

Jisc

Jisc is a membership organisation working in partnership with the UK’s research and education communities to develop the digital technologies they need to teach, discover and thrive.

Difenda

Difenda

Difenda Shield is a fully integrated and modular cybersecurity suite that gives your organization the agility it needs to implement a world-class cybersecurity system.

Iris Powered by Generali

Iris Powered by Generali

Iris Powered by Generali is an identity theft resolution provider. Our offering combines expert assistance and support with user-friendly identity protection technology.

Next DLP

Next DLP

Next DLP (formerly Jazz Networks) is a leading provider of insider risk and data protection solutions.

GO Business

GO Business

GO Business are a specialised B2B team within GO that caters to the communication needs of the local business community in Malta.

UberEther

UberEther

UberEther are a dedicated group of software developers and consultants developing and deploying the next generation of identity management and cloud solutions.

Iron EagleX

Iron EagleX

Iron EagleX deliver engineering solutions in cloud computing, big data, cyber, and machine learning technologies to US Government customers.