Kaspersky’s research of a years-long attack on the hospitality sector confirmed that more than 20 hotels in Latin America, Europe and Asia have fallen victim to targeted malware attacks. As a result, travelers’ credit card data, including information received from online travel agencies, is at risk of being stolen and sold to cybercriminals worldwide.
The RevengeHotels campaign is comprised of different groups using traditional remote access trojans to infect businesses in the hospitality sector. The campaign has been active since 2015 but has increased its presence in 2019. At least two groups, RevengeHotels and ProCC, were identified to be part of the campaign, but more cybercriminal groups potentially are involved.
The main attack vector includes emails with crafted malicious Word, Excel or PDF documents attached, according to Kaspersky. Some of them exploit a particular bug, loading it using VBS and PowerShell scripts, which are lists of commands. It then installs customized versions of various remote access trojans and other custom malware, such as ProCC, on the victim’s machine that could later execute commands and set up remote access to the infected systems.
The emails impersonate real people from legitimate organizations who make a fake booking request for a large group of people. It is worth noting that even careful users could be tricked to open and download attachments from such emails because they include an abundance of details (for instance, copies of legal documents and reasons for booking at the hotel) and looked convincing. The only detail that would reveal the attacker would be the fake website URL of the organization.
Once infected, computers can be accessed remotely, and not just by the cybercriminal group itself. Evidence collected by Kaspersky researchers shows that remote access to hospitality desks and the data they contain is sold on criminal forums on a subscription basis. Malware collects data from hospitality desk clipboards, printer spoolers and captured screenshots. Because hotel personnel often copied clients’ credit card data from online travel agencies in order to charge them, this data also could be compromised.
Kaspersky telemetry confirmed targets in Argentina, Bolivia, Brazil, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand, and Turkey. However, based on data extracted from Bit.ly, a popular link shortening service used by the attackers to spread malicious links, Kaspersky researchers assume that users from many other countries have at least accessed the malicious link, suggesting that the number of countries with potential victims could be higher.
“As users grow wary of how protected their data truly is, cybercriminals turn to small businesses, which are often not very well protected from cyberattacks and possess a concentration of personal data,” Dmitry Bestuzhev, head of global research and analysis team for Kaspersky Latin America, said in a statement. “Hoteliers and other small businesses dealing with customer data need to be more cautious and apply professional security solutions to avoid data leaks that could potentially not only affect customers, but also damage hotel reputations as well.”
For more information and to read the full report, "RevengeHotels: Cybercrime Targeting Hotel Desks Worldwide," visit Securelist.