Keylogging malware has struck a series of hotel business center PCs in the Dallas-Ft. Worth area, looking to capture personal and financial data from guests. The US Secret Service and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) has now warned the industry as a whole to be on the lookout for the malware.
Security researcher Brian Krebs got a hold of the non-public advisory, which detailed a task force-led series of arrests of individuals suspected of compromising computers at several large chains in the Metroplex area.
It explains:
“In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious keylogging software. The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts. The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”
Krebs noted that while the advisory cautions hotels to limit guest access to non-administrator accounts, this precaution is somewhat useless.
“This is a good all-purpose recommendation, but it won’t foil today’s keyloggers and malware — much of which will happily install on a regular user account just as easily as on an administrative one,” he explained, adding, “While there are a range of solutions designed to wipe a computer clean of any system changes after the completion of each user’s session (Steady State, Clean Slate, et. al), most such security approaches can be defeated if users also are allowed to insert CDs or USB-based Flash drives (and few hotel business centers would be in much demand without these features on their PCs).”
Essentially, if a criminal has access to a computer with a CD drive or USB port, getting around any and all security precautions is an easy task.
“The truth is, if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer,” Krebs said.”The next hotel business center you visit may be completely locked down and secure, or it could be wide open and totally overrun with malware. The trouble is that there is no easy way for the average guest to know for sure.”
Guests should avoid using business center computers for anything of a sensitive nature, including of course checking email. Krebs advised using a throwaway email address at yopmail.com or 10minutemail.com to which users can forward documents to print from their mobile devices – dismantling the temporary address directly after.