After a long trip, you’ve arrived at the hotel. Ready to put stressful assignments aside, you lounge in the room. Little do you know that a cyber-tourist silently checks in too … And it’s someone who can get a humongous tip without offering a single service.
We tend to be relaxed when we’re in a hotel, especially on vacation. We feel more protected. Cameras are all over, guards and receptionists smile, and we receive a warm welcome. But do they see everything? Are we really protected?
Recent events in internet security show that we’re not. Cyber-crooks have set their eyes on the hotel industry. As holidays approach, the number of victims may be higher.
The most recent proof that hotel malware is starting to get serious is the FBI involvement. A couple of weeks ago, the agency warned travelers about phony software updates that make users automatically download malware. The FBI didn’t name names, letting us assume what type of malicious software was installed, and the countries where the hackings were noticed.
This was not the first time this year that cyber crooks dragged hotels into the firing line. Travelers who opened websites through a Wi-Fi connection were being distracted by advertisements pushed by a JavaScript. This vulnerability was harmless, but others have already been used for stealing costumer data.
A month ago, a remote access computer Trojan (RAT) designed to feast on credit card information from hotel point-of-sale applications was being sold online for $280. The entrepreneur’s “offer” included tips and tricks to lure receptionists into installing the malicious program.
PoS appliances continue to be a major “opportunity” for cyber-attackers – and not only in the hotel industry. They provide ready access to financial information, which can be sold on the black market or used directly in fraud.
So don’t get stunned if you find your information out there in the wild. Some websites brag about “sizes”, saying they have “nearly 100% US people” in their database, and others include worldwide stolen information. How much are our personal details worth these days? Not more than a pound of potatoes. They range from a couple of cents to $3 for a Social Security number.
“I feel pretty”Â
So what’s pretty and special about hotel malware? Security specialists say not too much, but enough to make it exciting for attackers. Hotel malware is more often designed for ripping off customer information, easily used to gobble up huge piles of money.
When it comes to already infected hotel systems, cyber crooks can take advantage of better targeted attacks. If a certain hotel chain’s security is broken, the whole list of clients is a stone’s throw from the criminal’s computer.
Last year, a hotel e-mail scam made waves in the US. Criminals distributed malware through an attached “RefundForm” file, claiming a wrong transaction. These types of cyber-attacks may become more frequent and better targeted in the future.
As opposed to other retailers such as restaurants or hypermarkets, hotels also store information about future clients. While at home, packing holiday luggage, travelers who made a hotel reservation may become easy phishing “material” Posing as hotel representatives, criminals may try to lure clients on e-mail. Giving the fact they will actually check in, people are more tempted to click, for instance, on phony notification links. This type of attack may even avoid anti-spam filters. And in some cases, hackers can take over the hotel systems and send “legit” e-mails from the servers.
Another special hotel malware component is the social engineering. Though a RAT may be used for general attacks to take control of the system, it may target hotels through social engineering tools, luring front desk managers into installing malware.
Not only clients are at risk. Security specialists argue that hotel employees are vulnerable to e-threats too. Social networks are an easy-to-use database where people freely give away professional and personal information, e-mail addresses included. These can be used to break the hotel PoS appliances and gain access to the ginormous client data base.
Another vulnerability that hotel attackers exploit is rather human. When we travel, we tend to be more relaxed than at home. We also trust the hotel’s Wi-Fi connection more than we trust the one in a suburb coffee shop. Assuming it’s secured and packed with encrypted passwords, we make updates, check our office e-mail, and make online payments more easily.
Now that you’ve read our blog post so far, don’t think your holiday’s ruined. There are a few tips and tricks that will help you stay safe before and after you make a hotel reservation. Some are generally available for all local networks.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.
This article is based on the technical information provided courtesy of Octavian Minea and Razvan Benchea, Malware Researchers at BitDefender AntiMalware Lab.
tags
Bianca Stanescu, the fiercest warrior princess in the Bitdefender news palace, is a down-to-earth journalist, who's always on to a cybertrendy story.
View all postsNovember 14, 2024
September 06, 2024