Researchers warned this week of a trojan that is being hawked, on black market websites, as a way to steal customer credit card information from hotels.Amit Klein, CTO of security firm Trusteer, said in a Wednesday blog post that its intelligence team discovered the remote access trojan being peddled in underground forums for $280. The malware is designed to compromise the front-desk computers of hotels. Once installed on those machines, it downloads a difficult-to-detect spyware component that captures screenshots from point-of-sale (PoS) applications, specifically to sniff out credit card numbers and expiration dates.
Oren Kedem, director of product marketing at Trusteer, told SCMagazine.com on Thursday that the hospitality industry is a lucrative target because it deals in valuable financial data. In addition, fraudsters might find hotels to be easy pickings because it is easy to trick employees into trusting an email, even if that means inviting malware into the network.
"Hotels communicate with the public," he said. "If you're a hotel you open emails and communicate with people you don't know on a regular basis."
The forum on which the trojan is being sold even includes guidance from the sellers on how to use VoIP-based social engineering to trick front-desk clerks into installing the trojan, Klein said.He added that often the devices hotel employees use are unmanaged, and thus may not contain patches and anti-virus protections that would stop a trojan like this.
The hospitality industry has been hit hard in the last couple of years. As an example, The Desmond, a high-end hotel and conference center in Albany, N.Y. that also hosts many weddings, announced last month that the credit card information of every guest between May 21, 2011 and March 10, 2012 may have been stolen by hackers.
A notice from the hotel didn't say how the breach happened, and the general manager did not respond to a request for comment on Thursday.
Not only are hotels and food-and-beverage establishments susceptible to social engineering, but their PoS applications often are easily accessible using default passwords. Criminals can scan the web to find organizations that may be open to such an exploit.
"There will be remote access available on the internet," Nicholas Percoco, who heads Trustwave's research arm, SpiderLabs, explained to SCMagazine.com in February. "They'll then go and basically brute force attack those systems, and they are highly successful at that ...There's no alarms that went off. They just connected and logged in. Now they're in the environment, and you're not suspecting they're there and they're now implementing customized malware into these environments."