RevengeHotels Campaign: Hotels are targeted by hackers

The hacking campaign RevengeHotels returns dynamically and targets it tourism industry.

Hotels, restaurant chains, various stores are considered an ideal target because cybercriminals can do different things. attacks and affect a large number of victims. Some of the most common practices of hackers are infringement of PoS systems (for collecting customer / tourist data), the mission Phishing emails staff (who can give access to internal systems) and the Man-in-The-Middle attacks through the public WiFi hotspots of the hotels.

The data, collected by hotels and generally all relevant services, they are valuable. They hold a large number of personal information such as identity and financial information, which hackers can use for various scams, such as spear-phishing attacks, selling data, creating payment card clones. customers.

Before long, Kaspersky had described one hacking campaign, which included spear-phishing, spyware and malware and targeted hotels. It was called DarkHotel. Yesterday, however, it published a new research into another targeted campaign, named RevengeHotels.

2015 was first detected, but most of the attacks took place this year. So far, 20 victims have been found. The main target is hotels, hostels and Companies hospitality and tourism.

The RevengeHotels campaign has affected hotels in: Argentina, Bolivia, Chile, Costa Rica, France, Italy, Portugal, Mexico, Spain, Turkey and Thailand. Most of the attacks, however, have taken place at Brazil.

The hackers behind the campaign are violating hotel systems and using them Trojans to steal customer credit card details as well as other financial and personal information information, which receive hotels from third parties, such as booking sites (eg Booking.com).

The attack usually starts with one Phishing e-mail shipped to hotels (or other hosting services). According to researchers, hackers send highly detailed and detailed emails that look legitimate. They imitate real and trustworthy companies.

These emails contain malicious Word, Excel or PDF documents, which exploit vulnerability CVE-2017-0199, a Microsoft Office RCE vulnerability.

If a vulnerable system is detected, they will be used VBS or PowerShell scripts exploiting errors and leading to their development RevengeRAT, NRAT, NanoCoreRAT, 888 RAT, ProCC and other malicious programs.

Trojans invade infected computers, creating "tunnels" that connect the computer to the attackers' command-and-control (C2) server. The hackers have created another feature, the ScreenBooking, which is used to record payment card information.

According to the researchers, the original versions of the trojans in the RevengeHotels campaign included two functions. One backdoor and one function for taking screenshots. “We have recently noticed that these functions have been merged into a single one backdoor, capable of collecting data from the clipboard and recording screenshots ”.

In addition to RevengeHotels hackers, Kaspersky also revealed another group, the ProCC, which also targets the tourism sector. The ProCC team uses a more sophisticated backdoor that steals more information.

“If you want to stay safe while traveling, it is recommended to use one virtual payment card for OTAs booking, as these cards usually expire after a charge, ”says Kaspersky. “When paying for your hotel, it is a good idea to use one virtual wallets like Apple Pay, [or] Google Pay. If this is not possible, use a minor or less important credit card, as you cannot know if the hotel system is clean. "