Hackers stealing guests’ credit card data from hotels worldwide

Moscow, Dec 3, 2019-

Over 20 hotels in Asia, Latin America and Europe have fallen victim to targeted malware attacks, putting travellers’ credit card data which is stored in a hotel administration system, including those received from online travel agencies (OTAs), at risk of being stolen and sold to criminals worldwide, warns a report from cybersecurity firm Kaspersky.

Even more hotels are potentially affected across the globe, said the study.

The research studied the RevengeHotels campaign that includes different groups using traditional Remote Access Trojans (RATs) to infect businesses in the hospitality sector.

The campaign has been active since 2015 but has gone on to increase its presence in 2019.

At least two groups, RevengeHotels and ProCC, were identified to be part of the campaign, however more cybercriminal groups are potentially involved, said the study.

The main attack vector in this campaign was found to be emails with crafted malicious Word, Excel or PDF documents attached.

Each spear-phishing email was crafted with special attention to detail and usually impersonating real people from legitimate organizations making a fake booking request for a large group of people.

Even careful users could be tricked to open and download attachments from such emails as they include an abundance of details (for instance, copies of legal documents and reasons for booking at the hotel) and looked convincing, the research said.

“As users grow wary of how protected their data truly is, cybercriminals turn to small businesses, which are often not very well protected from cyberattacks and possess a concentration of personal data,” said Dmitry Bestuzhev, Kaspersky’s Head of Global Research and Analysis Team for Latin America.

“Hoteliers and other small businesses dealing with customer data need to be more cautious and apply professional security solutions to avoid data leaks that could potentially not only affect customers, but also damage hotel reputations as well,” Bestuzhev added.

Once infected, the computer could be accessed remotely by the cybercriminal group. Evidence collected by Kaspersky researchers showed that remote access to hospitality desks and the data they contain is sold on criminal forums on a subscription basis.

Kaspersky telemetry confirmed targets in Argentina, Bolivia, Brazil, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey.

However, based on data extracted from Bit.ly, a popular link shortening service used by the attackers to spread malicious links, Kaspersky researchers assume that users from many other countries have at least accessed the malicious link – suggesting that the number of countries with potential victims could be higher.  (Agency)