RevengeHotels is a campaign that includes different groups using traditional Remote Access Trojans (RATs) to damage businesses in the hospitality sector. It is said that the campaign has been very active since 2015 and continually to thrive and make its presence in 2019. Two groups are identified to be involved in the campaign, RevengeHotels and ProCC. However, there could be more involved as they are still out there remain hidden.
The main attack vector in this campaign is emails with crafted malicious Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customized versions of various RATs and other custom malware, such as ProCC, on the victim’s machine that could later execute commands and set up remote access to the infected systems.
Each spear-phishing email was crafted with special attention to detail and usually impersonating real people from legitimate organizations making a fake booking request for a large group of people. It is worth noting that even careful users could be tricked to open and download attachments from such emails as they include an abundance of details (for instance, copies of legal documents and reasons for booking at the hotel) and looked convincing.
The only detail that would reveal the attacker would be a typosquatting domain of the organization.
Once infected, the computer could be accessed remotely not just by the cybercriminal group itself — evidence collected by Kaspersky researchers shows that remote access to hospitality desks and the data they contain is sold on criminal forums on a subscription basis. Malware collected data from hospitality desk clipboards, printer spoolers and captured screenshots (this function was triggered using specific words in English or Portuguese). Because hotel personnel often copied clients’ credit card data from OTA’s in order to charge them, that data could also be compromised.
Kaspersky telemetry confirmed targets in Argentina, Bolivia, Brazil, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. However, based on data extracted from Bit.ly, a popular link shortening service used by the attackers to spread malicious links, Kaspersky researchers assume that users from many other countries have at least accessed the malicious link – suggesting that the number of countries with potential victims could be higher.
“As users grow wary of how protected their data truly is, cybercriminals turn to small businesses, which are often not very well protected from cyberattacks and possess a concentration of personal data. Hoteliers and other small businesses dealing with customer data need to be more cautious and apply professional security solutions to avoid data leaks that could potentially not only affect customers, but also damage hotel reputations as well,” comments Dmitry Bestuzhev, Head of Global Research and Analysis Team, LatAm.
“Thailand is a popular travel destination, which definitely influenced the choices attackers made in selecting their targets. Since the purpose of the campaign is to steal as much credit card data as possible, attackers usually select the most popular hotels that regularly have customers. If they attack a luxurious hotel, then the chances of stealing a high-profile credit card data are be much higher. We have confirmed one target in Thailand as we have found an email tailored by the attackers and sent to the hotel. However, we cannot definitely say whether this target was a victim to the RevengeHotels campaign. We neither can confirm nor deny if there are more targets in Thailand besides that one, but it’s reasonable to believe this is the case,” Bestuzhev added.
To stay safe, travelers are recommended to:
Hotel owners and management are also advised to follow these steps to secure customer data:
Introduce staff security awareness training to teach employees how to spot spear-phishing attempts and show the importance of remaining vigilant when working with incoming emails.