Hackers Are Checking-In to Hotel Systems
Bold hackers first build trust, then steal data.
The hotel industry is being targeted by hackers who are calling hotels and taking advantage of their reputation for excellent customer service.
But if you think this story is just about the hotel industry, think again. It's simply another twist on a scam from the hackers' playbook...and it can affect businesses and individuals alike.
Armed with a believable story, a friendly voice and request for help, a group of bold hackers—masquerading as prospective hotel guests with reservation problems—are talking and luring representatives at hotel reservation-desks right into a trap.
Without hesitation and without reservation, the hackers are stealing hotels customer data. And hotels are unwittingly walking into the scam with both eyes open.
Checking in and checking things out.
The hotel scam isn't an overly elaborate sting operation; it takes just one con artist, one victim and one email carrying dangerous malware (sent by the pretend hotel guest) to sway and dupe the hotel, booking representative.
But it has been working so well that security experts are warning businesses of all kinds to be aware of this latest brand of scam from a well-known hacker group known in cyber security circles.
The hotel scam has a unique process to it: it starts with a phone call from the hacker and ends with malware stealing customer credit card information and more.
The phone call
A well-spoken hacker with excellent English calls the hotel customer service phone number to discuss a problem confirming a reservation. (The language reference is significant because the hackers are often not in the United States.)
The caller asks for help. They say they're not able to access the online reservation system to book a room for an upcoming stay. They've tried and tried, they explain, and finally decided to call for help.
You can imagine the response from the service rep: "Of course. I'd be glad to assist you."
The con-man offers to provide some information that might help: Details of their customer account and reservation number. They say they can send it to the Agent in an email. All they need is an email address to send it to.
"I can get that for you," the helpful Representative offers.
The hackers are very persistent, according to a security expert familiar with the hack. "They'll stay on the line with the customer service rep until they open up the attachment," he said.
The malware launch
With address in hand, the hacker sends their email to the customer service agent, and it includes the attached document that contains the supposed reservation information.
Unfortunately, it contains something else: malware, which is the hacker's malicious software program that, once activated, will find its way to sensitive information. The malware is loosed on the system when the hotel rep opens the document online and clicks on link that carries the payload.
The devastating attack
Once the malware is installed, it can download other malicious tools to tamper with the rest of a business's network. The goal of the attack is to record credit card numbers from point-of-sale machines or e-commerce payment processes, investigators say. The hack has been used against restaurant chains as well.
The malware being launched is sophisticated and meant to do a specific task and do it thoroughly—to invade systems and networks, take screenshots from the desktop, to find and obtain passwords and email addresses, and to scan the network to gauge its vulnerability. Once in place, the malware is able capture every credit card transaction that passes through the network and steal the data it wants. For a large-size restaurant chain, for example, that could affect as many as one million customers over time.
The hotel hack is believed to be the work of the same online gang of thieves who last year, evidently lifted as much as $1 billion from a handful of banks. This time around they focused on stealing consumer credit card data and information. They left their digital "fingerprints" by using similarly coded malware that was used in previous attacks on other companies, according to an incident-response director for a large security firm.
The hackers are smooth, convincing and even friendly. They also seem to be using LinkedIn, the online business connection network, to dig up information on targeted companies and to learn the name of hotel-chain managers, which they'll drop into conversation. Those details add to the credibility of the call, and maybe even cause the hotel employ to worry that a supervisor might receive a customer complaint.
The hotel scam is another twist on "phishing" in which thieves use a convincing story and create an opportunity to hook a victim. In the hotel scam case, there was no need for the hotel staff to open the attachment. The customer could have simply read any reservation numbers to the hotel representative. The advice for those in business is the same as it is for all of us: If someone you don't know sends an email with an attachment, DO NOT OPEN IT.