Kaspersky’s research of the RevengeHotels campaign has confirmed that over 20 hotels in Latin America, Europe and Asia have fallen victim to targeted malware attacks. As a result, travelers’ credit card data, which is stored in a hotel administration systems including those received from online travel agencies (OTAs), is at risk of being stolen and sold to cybercriminals worldwide.
“Hoteliers and other small businesses dealing with customer data need to be more cautious and apply professional security solutions to avoid data leaks that could potentially not only affect customers, but also damage hotel reputations as well.”
The RevengeHotels campaign includes different groups using traditional Remote Access Trojans (RATs) to infect businesses in the hospitality sector. The campaign has been active since 2015 but has increased its presence in 2019. At least two groups, RevengeHotels and ProCC, were identified to be part of the campaign, however more cybercriminal groups are potentially involved.
The main attack vector includes emails with crafted malicious Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts. It then installs customized versions of various RATs and other custom malware, such as ProCC, on the victim’s machine that could later execute commands and set up remote access to the infected systems.
Each spear-phishing email is crafted with special attention to detail. The emails impersonate real people from legitimate organizations who make a fake booking request for a large group of people. It is worth noting that even careful users could be tricked to open and download attachments from such emails as they include an abundance of details (for instance, copies of legal documents and reasons for booking at the hotel) and looked convincing. The only detail that would reveal the attacker would be a typosquatting domain of the organization.
Once infected, computers can be accessed remotely, and not just by the cybercriminal group itself. Evidence collected by Kaspersky researchers shows that remote access to hospitality desks and the data they contain is sold on criminal forums on a subscription basis. Malware collected data from hospitality desk clipboards, printer spoolers and captured screenshots (this function was triggered using specific words in English or Portuguese). Because hotel personnel often copied clients’ credit card data from OTAs in order to charge them, this data could also be compromised.
Kaspersky telemetry confirmed targets in Argentina, Bolivia, Brazil, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. However, based on data extracted from Bit.ly, a popular link shortening service used by the attackers to spread malicious links, Kaspersky researchers assume that users from many other countries have at least accessed the malicious link, suggesting that the number of countries with potential victims could be higher.
“As users grow wary of how protected their data truly is, cybercriminals turn to small businesses, which are often not very well protected from cyberattacks and possess a concentration of personal data,” said Dmitry Bestuzhev, head of global research and analysis team for Kaspersky Latin America. “Hoteliers and other small businesses dealing with customer data need to be more cautious and apply professional security solutions to avoid data leaks that could potentially not only affect customers, but also damage hotel reputations as well.”