Hotel Malware Expects Big Tips When You Check In

After a long trip, you’ve arrived at the hotel. Ready to put stressful assignments aside, you lounge in the room. Little do you know that a cyber-tourist silently checks in too … And it’s someone who can get a humongous tip without offering a single service.

We tend to be relaxed when we’re in a hotel, especially on vacation. We feel more protected. Cameras are all over, guards and receptionists smile, and we receive a warm welcome. But do they see everything? Are we really protected?

Recent events in internet security show that we’re not. Cyber-crooks have set their eyes on the hotel industry. As holidays approach, the number of victims may be higher.

The most recent proof that hotel malware is starting to get serious is the FBI involvement. A couple of weeks ago, the agency warned travelers about phony software updates that make users automatically download malware. The FBI didn’t name names, letting us assume what type of malicious software was installed, and the countries where the hackings were noticed.

This was not the first time this year that cyber crooks dragged hotels into the firing line. Travelers who opened websites through a Wi-Fi connection were being distracted by advertisements pushed by a JavaScript. This vulnerability was harmless, but others have already been used for stealing costumer data.

A month ago, a remote access computer Trojan (RAT) designed to feast on credit card information from hotel point-of-sale applications was being sold online for $280. The entrepreneur’s “offer” included tips and tricks to lure receptionists into installing the malicious program.

PoS appliances continue to be a major “opportunity” for cyber-attackers – and not only in the hotel industry. They provide ready access to financial information, which can be sold on the black market or used directly in fraud.

So don’t get stunned if you find your information out there in the wild. Some websites brag about “sizes”, saying they have “nearly 100% US people” in their database, and others include worldwide stolen information. How much are our personal details worth these days? Not more than a pound of potatoes. They range from a couple of cents to $3 for a Social Security number.

“I feel pretty”

So what’s pretty and special about hotel malware? Security specialists say not too much, but enough to make it exciting for attackers. Hotel malware is more often designed for ripping off customer information, easily used to gobble up huge piles of money.

When it comes to already infected hotel systems, cyber crooks can take advantage of better targeted attacks. If a certain hotel chain’s security is broken, the whole list of clients is a stone’s throw from the criminal’s computer.

Last year, a hotel e-mail scam made waves in the US. Criminals distributed malware through an attached “RefundForm” file, claiming a wrong transaction. These types of cyber-attacks may become more frequent and better targeted in the future.

As opposed to other retailers such as restaurants or hypermarkets, hotels also store information about future clients. While at home, packing holiday luggage, travelers who made a hotel reservation may become easy phishing “material” Posing as hotel representatives, criminals may try to lure clients on e-mail. Giving the fact they will actually check in, people are more tempted to click, for instance, on phony notification links. This type of attack may even avoid anti-spam filters. And in some cases, hackers can take over the hotel systems and send “legit” e-mails from the servers.

Another special hotel malware component is the social engineering. Though a RAT may be used for general attacks to take control of the system, it may target hotels through social engineering tools, luring front desk managers into installing malware.

Not only clients are at risk. Security specialists argue that hotel employees are vulnerable to e-threats too. Social networks are an easy-to-use database where people freely give away professional and personal information, e-mail addresses included. These can be used to break the hotel PoS appliances and gain access to the ginormous client data base.

Another vulnerability that hotel attackers exploit is rather human. When we travel, we tend to be more relaxed than at home. We also trust the hotel’s Wi-Fi connection more than we trust the one in a suburb coffee shop. Assuming it’s secured and packed with encrypted passwords, we make updates, check our office e-mail, and make online payments more easily.

Tips and tricks

Now that you’ve read our blog post so far, don’t think your holiday’s ruined. There are a few tips and tricks that will help you stay safe before and after you make a hotel reservation. Some are generally available for all local networks.

1. For a network requiring security, it’s better to use a switch.
2. Be careful when you access sharing services. Avoid those that aren’t protected with password authentication.
3. Before connecting to the hotel Wi-Fi and put your personal information at risk, encrypt classified files with high-level encryption tools.
4. Update your laptop before traveling and download software updates only from official web sites.
5. Before leaving in a trip, make sure you have antivirus software installed and updated.
6. If you’re a corporate “geek” or a tech savvy, you can access a virtual private network that is more secure than the hotel Wi-Fi.
7. Be extra-careful when you make online banking transactions. Use only secured websites if you have to type in confidential data such as passwords or bank accounts.
8. And always remember that malware doesn’t leave “office”. Not even on legal holidays.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

This article is based on the technical information provided courtesy of Octavian Minea and Razvan Benchea, Malware Researchers at BitDefender AntiMalware Lab.