There are certain industries that offer cyber criminals more opportunity and payload than others. For example, organizations in sectors that constantly deal with sensitive customer information or financial data are more likely to be targeted by hackers than businesses in industries that do not.
Recently, the hospitality industry has become a considerable target for black hats, with an increasing number of attempted attacks and breaches reported in recent years. However, it's not just the hotel establishment itself that malicious actors are after – oftentimes hackers are vying for the payment and personal details of clients as well.
Let's take a look at some recent cyber criminal activity in the hospitality industry, as well as certain strategies businesses in this sector can adopt to better protect themselves.
Breach at the Hard Rock
The Hard Rock Hotel is one of the most well-known establishments across the industry, with locations in major cities in and outside of the U.S. At the beginning of May, the brand reported it had suffered a malware attack that might have enabled hackers to gain access to payment card information used at several of its locations.
Reuters reported that the attack was first discovered on April 3, and potentially affected customers' names, credit card numbers and CVV security codes. While the event is still being investigated, researchers don't believe other sensitive information was compromised during the breach. In addition, investigators found that the infection only impacted transactions that occurred between September 3, 2014 and April 2, 2015.
Although the Hard Rock works with a number of partnering organizations and retailers, some of which have their own boutiques and shops inside the company's hotel locations, the breach only compromised transactions at Hard Rock restaurants, bars and retail stores. This means hackers were unable to breach information related to transactions at the hotels, casinos, spas or other outside retail stores housed in the hotels.
This is by no means the first time a hotel has been breached by hackers in this manner, but it is the most recent event taking place this year. Earlier in 2015, the Mandarin Oriental Hotel Group also announced a breach, as did Marriott Hotels. These instances illustrate how attractive the hospitality industry has become to hackers recently. Establishments in this industry not only deal with considerable financial information, but the personal details of their clients as well, providing high-profile targets for hackers.
Malware infection: RawPOS
Similar to the recent rash of POS-based attacks in the retail industry, the hospitality sector has seen its share of POS malware infections as well. In late April, Trend Micro reported on RawPOS, an older sample that has been recently leveraged to infect and infiltrate casinos and resort hotels.
This sample initially appeared in late 2008, and a number of security advisories was issued that year and in 2009 in an attempt to warn businesses about this little-known threat. Even six years later, experts are still primarily in the dark about the malware. Since resurfacing in the hospitality industry this year – with victims including establishments in the U.S., Canada, Europe, the Middle East and Latin America – researchers are seeking more information about this threat and how to protect against it.
Currently, Trend Micro researchers know that RawPOS uses a modular design that enables hackers to configure its multi-stage scraper capabilities. The sample is also a considerable threat due to its support for several POS software programs.
"Since business establishments would have different POS software, attackers have modified RawPOS' code to support multiple POS software over time," Trend Micro threat analyst Jay Yaneza wrote.
While a threat like this is no doubt difficult to protect against, hotels and resorts can utilize endpoint monitoring security solutions to ensure that suspicious activity is discovered early on, and key employees that can mitigate the damage are notified.
Targeting hotel guests
Threats in the hospitality industry aren't siloed to the establishments themselves. Recently, Wired contributor Kim Zetter reported on a new approach being used by hackers to target high-profile hotel guests via Wi-Fi connections.
The attack works like this: A target checks into a hotel, where hackers already have a network presence, awaiting the arrival of this specific guest. The individual logs on to use the hotel's Wi-Fi connectivity services in his room, and is presented with a pop-up concerning a software upgrade available for one of his programs. He decides to download it, but little does he know that his software isn't being updated, and he has just granted permission to a malware sample.
Kaspersky Lab has been researching the group responsible for these types of attacks, which have mainly been centered in hotels in Asia, dubbing the black hat organization DarkHotel.
"[T]he attackers have been active for at least seven years, conducting surgical strikes against targeted guests at other luxury hotels in Asia as well as infecting victims via spear-phishing attacks and P2P networks," Zetter wrote.
Since the initial discovery of DarkHotel, researchers have found that the group is growing its attack vector to include an increasingly long list of hotels.
"Obviously, we're not dealing with an average actor," noted Costin Raiu, Kaspersky Labs' manager of the global research and analysis team. "This is a top-class threat actor."
Hotel guests can better protect themselves from these kinds of threats by exercising caution when using hotel Wi-Fi and other public links that are not as heavily protected. In addition, users should be wary of any suspicious pop-up or email messages, and avoid clicking links or attachments from unfamiliar senders. Guests should also be cautious about what activities they carry out on such a network. Waiting to use a more secure connection for tasks that require personal or financial information can reduce the chances of data theft.
Hotels can do their part to better protect their guests as well. Using more staunch protections and activity monitoring can help prevent malicious actors from entering the network in the first place. Hotel managers can also add password protection to their network to block access to non-guests. This ensures that only those staying at the hotel with access to the password – which should consist of a mix of letters, numbers and special characters that is not easily guessable – can connect with the network.
