Multiple hotel chain employees constantly receive emails that they should probably ignore, as they could fall victim to a massive phishing campaign targeting the hospitality industry. Cybersecurity specialists from security firm Kaspersky have released a report detailing a hacking campaign identified as RevengeHotels that aims to obtain credit card data from millions of hotel chain customers, as well as financial information recorded with online travel agencies, such as Booking.com and similar.
The main activity of the operators of this campaign is in Brazil, however, there has been also evidence of activity in Argentina, Bolivia, Chile, Mexico, and even in some sectors of Europe, including Spain, Portugal, France and Italy.
SOURCE: Kaspersky Lab
The main avenue of attack is by sending emails with Word documents, Excel or PDF attachments loaded with malware to exploit some known vulnerabilities, mainly CVE-2017-0199. Cybersecurity experts say this campaign has been active since 2015, although activity has increased significantly over the past year.
The attack begins with a spear
phishing email, allegedly sent by a company interested in booking at
the target hotel. Hackers take the time to craft highly detailed and legitimate
looking messages.
The attachment (usually called AdvogadosAssociations.docx, with some variations depending on the country) contains a malicious Word file that delivers an OLE object via a template injection to run macro code; this macro code within the OLE document contains PowerShell commands to download and run the final payload.
According to cybersecurity experts, downloaded
files are .NET binaries protected with Yoda Obfuscator; after being unpacked,
the code is identified as RevengeRAT. An additional module identified as
ScreenBooking appears, with which hackers capture credit card data.
Cybersecurity experts monitored some hacking
forums, where they discovered that campaign operators focus primarily on the
computer equipment of hotel receptions to access a company’s networks and steal
data from credit cards. Another avenue of attack is the sale of remote access
to these systems, which involves other hacking groups.
After extracting credit card data, hackers begin to offer this information on illegal forums, which is attractive to groups of criminals interested in this information, as hotel chains are considered sources of reliable information in the world of cybercrime.
SOURCE: Kaspersky Lab
Cybersecurity specialists from the
International Institute of Cyber Security (IICS) mention that this campaign
will remain active for a long time, since vulnerabilities exploited by hackers
will not be fully patched, so it is travelers need to take some precautions
before their information is compromised.
A truly functional form of prevention is the
use of virtual payment cards for payment of services in online travel agencies,
since the data on these cards will expire after a certain time, protecting the
user’s financial data. Using services like Apple Pay or Google Pay is also a
good alternative.
