How hotels are being hacked? A method used by cybercriminals

Multiple hotel chain employees constantly receive emails that they should probably ignore, as they could fall victim to a massive phishing campaign targeting the hospitality industry. Cybersecurity specialists from security firm Kaspersky have released a report detailing a hacking campaign identified as RevengeHotels that aims to obtain credit card data from millions of hotel chain customers, as well as financial information recorded with online travel agencies, such as and similar.

The main activity of the operators of this campaign is in Brazil, however, there has been also evidence of activity in Argentina, Bolivia, Chile, Mexico, and even in some sectors of Europe, including Spain, Portugal, France and Italy.

Countries with RevengeHotels attack records
SOURCE: Kaspersky Lab

The main avenue of attack is by sending emails with Word documents, Excel or PDF attachments loaded with malware to exploit some known vulnerabilities, mainly CVE-2017-0199. Cybersecurity experts say this campaign has been active since 2015, although activity has increased significantly over the past year.

The attack begins with a spear phishing email, allegedly sent by a company interested in booking at the target hotel. Hackers take the time to craft highly detailed and legitimate looking messages.

The attachment (usually called AdvogadosAssociations.docx, with some variations depending on the country) contains a malicious Word file that delivers an OLE object via a template injection to run macro code; this macro code within the OLE document contains PowerShell commands to download and run the final payload.

According to cybersecurity experts, downloaded files are .NET binaries protected with Yoda Obfuscator; after being unpacked, the code is identified as RevengeRAT. An additional module identified as ScreenBooking appears, with which hackers capture credit card data.

Cybersecurity experts monitored some hacking forums, where they discovered that campaign operators focus primarily on the computer equipment of hotel receptions to access a company’s networks and steal data from credit cards. Another avenue of attack is the sale of remote access to these systems, which involves other hacking groups.

After extracting credit card data, hackers begin to offer this information on illegal forums, which is attractive to groups of criminals interested in this information, as hotel chains are considered sources of reliable information in the world of cybercrime.

Ad placed on hacking forums
SOURCE: Kaspersky Lab

Cybersecurity specialists from the International Institute of Cyber Security (IICS) mention that this campaign will remain active for a long time, since vulnerabilities exploited by hackers will not be fully patched, so it is travelers need to take some precautions before their information is compromised.

A truly functional form of prevention is the use of virtual payment cards for payment of services in online travel agencies, since the data on these cards will expire after a certain time, protecting the user’s financial data. Using services like Apple Pay or Google Pay is also a good alternative.