At least 20 hotels have fallen victim to a new malware campaign impacting hotel guest data in 12 countries.
The malware campaign, named RevengeHotels, has been targeting hotels, hostels, hospitality and tourism companies since 2015.
Researchers at Kaspersky, have noted that the campaign has since expanded, targeting more than 20 hotels in Brazil, Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey.
The aim of the campaign is to capture credit card data from guests stored in hotel systems, as well as credit card data received from popular online travel agencies (OTAs).
“The main attack vector is via email with crafted Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customized versions of RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT and other custom malware such as ProCC in the victim’s machine,” explained Kaspersky.
Researchers tracked two groups targeting the hospitality sector, that was using separate but similar tools, techniques and infrastructure; RevengeHotels and ProCC.
Threat actors deploy custom Trojans with the aim of stealing guest credit card data from compromised hotel systems, and financial information from third-party booking websites.
“One of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies. The emails are well written, with an abundance of detail. They explain why the company has chosen to book that particular hotel. By checking the sender information, it’s possible to determine whether the company actually exists. However, there is a small difference between the domain used to send the email and the real one.”
The spear-phishing email has a malicious file attached which drops a remote OLE object via template injection to execute macro code. The macro code contains PowerShell commands tha download and execute the final payload.
With the RevengeHotels campaign, researchers noticed that the modules within the downloaded files have been merged into a single backdoor module which can collect data from clipboard and capture screenshots.
ProCC uses a more sophisticated backdoor that can collect data from the clipboard and printer spooler, and capture screenshots.
Researchers also noted that criminals also infect front desk machines in order to capture credentials from hotel systems. In addition, credit card details can also be stolen.
Threat actors also sell remote access to these systems on underground forums and messaging groups “acting as a concierge for other cybercriminals by giving them permanent access to steal new data by themselves.”
“As users grow wary of how protected their data truly is, cyber-criminals turn to small businesses, which are often not very well protected from cyberattacks and possess a concentration of personal data,” argued Dmitry Bestuzhev, head of Kaspersky’s Global Research and Analysis Team, LatAm.
“Hoteliers and other small businesses dealing with customer data need to be more cautious and apply professional security solutions to avoid data leaks that could potentially not only affect customers, but also damage hotel reputations as well.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.