A malware campaign dubbed RevengeHotels has successfully infected systems running the front desks of more than 20 hotels across multiple countries in an attempt to steal guests’ credit card information.

Research published by Kaspersky Labs late last week confirmed the attacks have been detected most often in Brazil, though infections have also taken place in Chile, France, Italy, Spain, Portugal, Turkey, Costa Rica, Mexico and Bolivia.

Besides credit card data, Trojans deployed in the campaign are also gathering financial information passed on through third-party sites like Booking.com. RevengeHotels has been active since 2015, researchers said, but has been more active in the past year.

Beware of That Sudden Group Booking Request

Front desks are often the busiest parts of most hotels, and cybercriminals are taking advantage of that in this phishing campaign. Those targeted will get an email supposedly coming from a large company or government organization, for example, that requests a quote for a group booking.

The sender addresses of these messages look legitimate, but often have a small difference in spelling with the organization they’re impersonating. This technique, also known as typosquatting, becomes easier to overlook because the RevengeHotels attackers make sure the message is detailed and professional in tone.

Researchers said the messages contain malicious Word, Excel or PDF attachments that make use of vulnerabilities such as CVE-2017-0199. Though Microsoft patched that Office-related bug in 2017, hotels whose systems weren’t updated will allow attackers to deploy a variety of custom Trojans. These include RevengeRAT, NanocoreRAT, ProCC, 888 RAT and NjRAT.

Once infected, a backdoor is used to take screenshots and collect clipboard data, while another module, called ScreenBooking, captures the credit card information. The data is then sent back to the attacker’s command-and-control (C&C) server via a tunnel created by the Trojans.

RevengeHotels is not alone in aiming at the hospitality sector. Researchers said another group, ProCC, is waging a similar campaign with an even more sophisticated backdoor.

Make Sure There’s No Vacancy For Threat Actors

Organizations have long known they need to help employees understand how to identify phishing attempts, but the RevengeHotels campaign is a good example of how security awareness training may need to be customized for specific kinds of users.

Of course, people can always make mistakes, which is why it’s a good idea to complement training programs with ahead-of-threat detection tools that can spot suspicious URLs or requests and block them outright.

More from

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…