Hackers check in at hotel front desks worldwide


RevengeHotels malware campaign looks for credit card details of hotel guests

Hotels have been targeted around the world by a new malware campaign attempting to steal credit card details from travellers.

Dubbed RevengeHotels by security researchers at Kaspersky, more than 20 hotels have been confirmed as victims in countries such as Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey.

The goal of the campaign is to capture credit card data of guests and travellers from hotel systems and popular online travel agencies (OTAs) such as Booking.com, read a Kaspersky blog post.

Cyber-criminals kick off the attack by sending an email with crafted Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customised versions of RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT and other custom malware such as ProCC in the victim’s machine. The group has been active since 2015, but increased its attacks in 2019, said researchers.

Researchers tracked two groups, RevengeHotel and ProCC, targeting the hospitality sector, using separate but similar infrastructure, tools and techniques. The hackers use highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies. The emails explain why the company has chosen to book that hotel.

"By checking the sender information, it’s possible to determine whether the company actually exists. However, there is a small difference between the domain used to send the email and the real one," said researchers.

The email contains malicious file attached misusing the name of a real attorney office, while the domain sender of the message was registered one day before, using a typo-squatting domain.

The file drops a remote OLE object via template injection to execute macro code. The macro code inside the remote OLE document contains PowerShell commands that download and execute the final payload.

In the RevengeHotels campaign, the downloaded files are .NET binaries protected with the Yoda Obfuscator.

"After unpacking them, the code is recognisable as the commercial RAT RevengeRAT. An additional module written by the group called ScreenBooking is used to capture credit card data. It monitors whether the user is browsing the web page," researchers said.

Researchers studied underground forums and messaging groups to discover that criminals also infected front desk machines in order to capture credentials from the hotel administration software to steal credit card details.

Travellers were warned to use a virtual payment card for reservations made via OTAs, as these cards normally expire after one charge.

"While paying for your reservation or checking out at a hotel, it’s a good idea to use a virtual wallet such as Apple Pay, Google Pay, etc. If this is not possible, use a secondary or less important credit card, as you never know if the system at the hotel is clean, even if the rooms are," researchers said.

The hospitality industry being a top target by cyber-criminals is hardly surprising, said Joseph Carson, chief security scientist and advisory CISO at Thycotic. 

"In the Verizon data breach investigations report, the hospitality industry always ranks high in the number of security incidents, along with the education and healthcare.  Hotels often poorly handle the personal information and credit card details of their guests, which make them an easy target," Carson told told SC Media UK. 

"Usually the hotel guest Wi-Fi network is open where guests commonly check financial details, book additional travel or access sensitive information. This leaves hotel Wi-Fi networks as a popular place for cyber-criminals to capture sensitive data to abuse, such as stealing credit card details or even identity theft." 

Javvad Malik, security awareness advocate at Knowbe4, stressed on the importance of giving security awareness and training to the staff so that they can identify the red flags associated with phishing emails. 

"Additionally, where possible, the systems through which staff check external emails should not be connected to the core platforms which process payments and customer data," Malik told SC Media UK.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews