Research shows credit card data theft on the rise

How to not be the next data breach headline
The main attack vector in the RevengeHotels cyberattacks includes emails with crafted malicious Word, Excel or PDF documents attached. Photo credit: AirPlus International

Kaspersky’s research of a years-long attack on the hospitality sector confirmed that more than 20 hotels in Latin America, Europe and Asia have fallen victim to targeted malware attacks. As a result, travelers’ credit card data, including information received from online travel agencies, is at risk of being stolen and sold to cybercriminals worldwide.

The RevengeHotels campaign is comprised of different groups using traditional remote access trojans to infect businesses in the hospitality sector. The campaign has been active since 2015 but has increased its presence in 2019. At least two groups, RevengeHotels and ProCC, were identified to be part of the campaign, but more cybercriminal groups potentially are involved.

The main attack vector includes emails with crafted malicious Word, Excel or PDF documents attached, according to Kaspersky. Some of them exploit a particular bug, loading it using VBS and PowerShell scripts, which are lists of commands. It then installs customized versions of various remote access trojans and other custom malware, such as ProCC, on the victim’s machine that could later execute commands and set up remote access to the infected systems.

Virtual Event

HOTEL OPTIMIZATION PART 2 | Now Available On-Demand

Survival in these times is highly dependent on a hotel's ability to quickly adapt and pivot their business to meet the current needs of travelers and the surrounding community. Join us for Optimization Part 2 – a FREE virtual event – as we bring together top players in the industry to discuss alternative uses when occupancy is down, ways to boost F&B revenue, how to help your staff adjust to new challenges and more, in a series of panels focused on how you can regain profitability during this crisis.


The emails impersonate real people from legitimate organizations who make a fake booking request for a large group of people. It is worth noting that even careful users could be tricked to open and download attachments from such emails because they include an abundance of details (for instance, copies of legal documents and reasons for booking at the hotel) and looked convincing. The only detail that would reveal the attacker would be the fake website URL of the organization.

Once infected, computers can be accessed remotely, and not just by the cybercriminal group itself. Evidence collected by Kaspersky researchers shows that remote access to hospitality desks and the data they contain is sold on criminal forums on a subscription basis. Malware collects data from hospitality desk clipboards, printer spoolers and captured screenshots. Because hotel personnel often copied clients’ credit card data from online travel agencies in order to charge them, this data also could be compromised.

Kaspersky telemetry confirmed targets in Argentina, Bolivia, Brazil, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand, and Turkey. However, based on data extracted from Bit.ly, a popular link shortening service used by the attackers to spread malicious links, Kaspersky researchers assume that users from many other countries have at least accessed the malicious link, suggesting that the number of countries with potential victims could be higher.

“As users grow wary of how protected their data truly is, cybercriminals turn to small businesses, which are often not very well protected from cyberattacks and possess a concentration of personal data,” Dmitry Bestuzhev, head of global research and analysis team for Kaspersky Latin America, said in a statement. “Hoteliers and other small businesses dealing with customer data need to be more cautious and apply professional security solutions to avoid data leaks that could potentially not only affect customers, but also damage hotel reputations as well.”

For more information and to read the full report, "RevengeHotels: Cybercrime Targeting Hotel Desks Worldwide," visit Securelist.

Suggested Articles

The partnership aims to help restaurants streamline online orders from apps like GrubHub, UberEats, DoorDash, Chownow, Caviar, Postmates and others.

Two conferences traditionally held in the first half of each year are rescheduling for the second half.

In October, visitor arrivals were down 90.4 percent compared to 2019 and hotel occupancy was below 20 percent.