Home / / Cybercriminals are stealing guests’ credit card data from hotel front desks worldwide

Cybercriminals are stealing guests’ credit card data from hotel front desks worldwide

Travelers’ credit card data is at risk of being stolen and sold to criminals worldwide.

Cybercriminals are stealing guests’ credit card data from hotel front desks worldwide

Kaspersky’s research of the RevengeHotels campaign aimed at the hospitality sector, has confirmed over 20 hotels in Latin America, Europe and Asia have fallen victim to targeted malware attacks.

Even more hotels are potentially affected across the globe. Travelers’ credit card data which is stored in a hotel administration system, including those received from online travel agencies (OTAs), is at risk of being stolen and sold to criminals worldwide.

RevengeHotels is a campaign that includes different groups using traditional Remote Access Trojans (RATs) to infect businesses in the hospitality sector. The campaign has been active since 2015 but has gone on to increase its presence in 2019. At least two groups, RevengeHotels and ProCC, were identified to be part of the campaign, however more cybercriminal groups are potentially involved.

The main attack vector in this campaign is emails with crafted malicious Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customized versions of various RATs and other custom malware, such as ProCC, on the victim’s machine that could later execute commands and set up remote access to the infected systems.

Each spear-phishing email was crafted with special attention to detail and usually impersonating real people from legitimate organizations making a fake booking request for a large group of people. It is worth noting that even careful users could be tricked to open and download attachments from such emails as they include an abundance of details (for instance, copies of legal documents and reasons for booking at the hotel) and looked convincing. The only detail that would reveal the attacker would be a typosquatting domain of the organization.

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.