We all know it, or at least we should, that cybercrooks target the areas of least resistance, and they’re very good at finding them. As it turns out, easy to access hotel business centers are providing data thieves a rich opportunity to capture previous users of public computers’ bank login and other account information, leaving corporate cardholders especially vulnerable. Making matters worse for business travelers? Third-party hotel-booking agencies also appear vulnerable to malicious attacks.
Corporate guests who use hotel business centers’ publicly available computers to print out documents or to access files may be putting themselves at risk. A recent alert from two of the nation’s top security teams has listed the centers among the leading targets for malware, putting corporate cardholders in particular danger.
The U.S. Secret Service and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center last week issued a nonpublic advisory warning that “malicious attackers” have targeted the hospitality industry more so than others since 2011. In the advisory, the agencies noted that a Texas task force had arrested suspects who reportedly had compromised computers within various hotel business centers in the Dallas/Fort Worth area.
In the advisory, the agencies noted that the attacks on hotel business centers have not been sophisticated and have required little skill. Moreover, they have not involved exploiting vulnerabilities in browsers, operating systems and other software. In other words, they’ve found the centers easy pickings for doing their dirty work.
To conduct their crimes, they have used “a low-cost, high-impact strategy to access a physical system, stealing sensitive data from hotels and subsequently their guests’ information,” the alert notes. “In some cases, the suspects use stolen credit cards to register as guests. The actors would then access publicly available computers in the hotel business center, log in to their Gmail accounts and execute malicious key-logging software.”
The malware captures the keys struck by other hotel guests that earlier used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts, the alert noted. “The suspects were able to obtain large amounts of information, including other guests’ personally identifiable information; log-in credentials to bank, retirement and personal webmail accounts; as well as other sensitive data flowing through the business center’s computers,” it noted.
Asked to comment on the alert and any trends related to hotel business center crimes that could affect American Express business cardholders, an Amex spokesperson declined, saying the card brand prefers not to be portrayed as any kind of expert in that area.
Hotels could take steps to protect their public computers, such as limiting guest accounts to non-administrator accounts that do not have the ability to install or uninstall programs, the agencies recommended. However, Krebs on Security, commenting on the alert, noted that, while such a recommendation is good, it won’t prevent keyloggers and malware, which just as easily could be installed on a regular user account as on an administrative one.
A range of solutions designed to wipe a computer clean of any system changes after the completion of each user’s session are available, but crooks just as easily could insert CDs or USB-based Flash drives to do their malicious tasks, according to Krebs. “Attackers with physical access to a system and the ability to reboot the computer can use CDs or USB drives to boot the machine straight into a stand-alone operating system like Linux that has the ability to add, delete or modify files on the underlying (Windows) hard drive,” the security expert said. “While some computers may have low-level “BIOS” settings that allow administrators to prevent users from booting another operating system from a USB drive or CD, not all computer support this option.”
Cybercrimes involving hotels and travel aren’t limited to business centers. In a security report released in May, Trustwave also cited the ability of hospitality intermediaries in the Europe/Middle East/Asia region to attract hacker attention. It said it investigated a small number of compromised hotel booking services, which it said regulators traditionally have not focused on because they do not process payments themselves.
Such B2B service providers allow hotels to communicate availability and pricing information to travel websites or agencies, the report notes. They also send booking and payment data back to the hotel, allowing them to accept bookings from a wide range of global travel sites.
To provide the conduit between the various hotels and travel agencies and online travel-booking sites, for example, the booking services adopted an insecure approach, including storing cardholder data from the time of booking to a set time after checkout so they could accommodate cancellation fees. This created a large store of valuable cardholder data, Trustwave said.
“A lack of awareness to the amount of cardholder data that traverses these services networks has resulted in a lack of appropriate security controls,” Trustwave said.
In a separate security report, Verizon noted that hotels are among the industries most commonly affected by POS intrusions as well. Moreover, keylogger spyware represented 38 percent of cyber-espionage attacks last year.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More