Researchers warned this week of a trojan that is being
hawked, on black market websites, as a way to steal customer credit card
information from hotels.
Amit Klein, CTO of security firm Trusteer, said in a
Wednesday blog post that its intelligence team discovered the remote access
trojan being peddled in underground forums for $280. The malware is designed to
compromise the front-desk computers of hotels. Once installed on those
machines, it downloads a difficult-to-detect spyware component that captures
screenshots from point-of-sale (PoS) applications, specifically to sniff out
credit card numbers and expiration dates.
Oren Kedem, director of product marketing at Trusteer,
told SCMagazine.com on Thursday that the hospitality industry is a lucrative
target because it deals in valuable financial data. In addition, fraudsters
might find hotels to be easy pickings because it is easy to trick employees
into trusting an email, even if that means inviting malware into the network.
"Hotels communicate with the public," he said.
"If you're a hotel you open emails and communicate with people you don't
know on a regular basis."
The forum on which the trojan is being sold even includes
guidance from the sellers on how to use VoIP-based social engineering to trick
front-desk clerks into installing the trojan, Klein said.
He added taht often the devices hotel employees use are
unmanaged, and thus may not contain patches and anti-virus protections that
would stop a trojan like this.
The hospitality industry has been hit hard in the last
couple of years. As an example, The Desmond, a high-end hotel and conference
center in Albany, N.Y. that also hosts many weddings, announced last month that
the credit card information of every guest between May 21, 2011 and March 10,
2012 may have been stolen by hackers.
A notice from the hotel didn't say how the breach
happened, and the general manager did not respond to a request for comment on
Thursday.
Not only are hotels and food-and-beverage establishments
susceptible to social engineering, but their PoS applications often are easily
accessible using default passwords. Criminals can scan the web to find
organizations that may be open to such an exploit.
"There will be remote access available on the
internet," Nicholas Percoco, who heads Trustwave's research arm,
SpiderLabs, explained to SCMagazine.com in February. "They'll then go and
basically brute force attack those systems, and they are highly successful at
that ...There's no alarms that went off. They just connected and logged in. Now
they're in the environment, and you're not suspecting they're there and they're
now implementing customized malware into these environments."