Security experts are warning hotel IT managers to be on high alert after revealing the highly targeted nature of email-borne attacks via which cyber-criminals are gaining access to POS systems.
In an exclusive interview with Infosecurity, Panda Security technical director, Luis Corrons, explained that a recent email intercepted en route to a hotel chain customer gave his team new insight into a growing threat.
A Panda Security white paper released last week highlighted a huge increase in credit card data theft from global hotel chains in 2015.
“In the paper we published, you can see that in none of those cases it is revealed how the malware get to the POS terminals – they never disclose that information,” Corrons explained.
“It makes sense that they compromise one of the computers of the network, and from there they look for the POS terminals to install malware, as happened in the Target attack a few years ago. Here we have been able to catch the initial attack, although sadly as we blocked it they quickly shut down their infrastructure, so we could not get access to the POS malware that was going to be used.”
The spearphishing email in question, seen by Infosecurity, is addressed to a specific hotel employee and claims the attachment provides all the information needed to pay for a pending stay at the end of May 2016.
When the zip file was opened it contained a file with a Word icon containing an official looking hotel document identical to ones used by countless guests to fill in and send payment information for upcoming visits.
To add authenticity, the credit card number given on the form even appears to be real – Corrons explained he found it on a carding forum.
While the hotel employee is reading this, of course, in the background an executable is running, no doubt to download malware which will be used to move laterally to access the Point of Sale systems in the hotel, and ultimately scrape card data.
“Of course you could have [POS systems] isolated and allow them to connect just to the payment system in order to do the transactions, but that is not really practical,” Corrons added.
“Each hotel has a number of POS so having each one isolated is not going to happen.”
The email discovery once again highlights the need for IT security managers in this industry – and elsewhere – to install advanced security tools which can spot sophisticated spearphising attempts which so often signal a targeted attack.