Kaspersky Lab experts discovered a malicious campaign, which jeopardizes bank card information stored in hotel information systems, as well as obtained from online travel agencies such as Booking.com. It is known that at least 20 brands of hotels in Brazil, Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey are attacked.
To collect information from clipboards, devices for printing and screenshots of documents, attackers use remote administration Trojan programs that spread through malicious attachments in phishing emails (Word, Excel, PDF). Some of them exploit the problem CVE-2017-0199, as well as VBS and PowerShell scripts, downloading and installing customized versions of RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT and other custom malware like ProCC on the target machine.
Such letters, imitating official requests for group reservations from real people from real companies, look very convincing, they include copies of official documents and detailed explanations of the reasons why this hotel was chosen. The only thing that gives out the true purpose of the attackers is errors in writing the domain of the company.
Hackers not only use remote access to infected computers themselves, but also sell it on underground forums. So, attackers seek to compromise cars at the reception desk to obtain credentials for the hotel administration software, as well as gain the ability to steal bank cards.
It is reported that several hacker groups are participating in this campaign, and experts are surely aware of at least two – RevengeHotels and ProCC. This campaign has been active since at least 2015, but in 2019 its activity has noticeably increased.
According to Bit.ly, which was used by attackers to reduce the malicious link, it spread in many other countries, in addition to those listed above, which means that the amount of compromised data can be much larger.
“Regardless of whether guests stay in hotels while on a business trip or on vacation, whether they pay in cash or by card, it will still be necessary to use a debit or credit card at least once to guarantee a room reservation. This will be enough for attackers to steal her data. We advise hotel owners to use reliable protective solutions to avoid leaks that can damage both customers and the institution’s reputation, ”comments Yuri Namestnikov, head of the Russian research center at Kaspersky Lab.