“In this particular scenario,” blogs Trusteer’s Amit Klein, “a remote access Trojan program is used to infect hotel front desk computers. It then installs spyware that is able to steal credit card and other customer information...”
The underground advertisement reads: “Hello all, I’m offering Hotel RATs. In other words; A virtual skimmer.” The author claims ‘guaranteed US/Canada/UK connections’ and even includes a tutorial on ‘how to Social Engineer/Manipulate the front desk manager on the phone via VoIP.’
“It can steal credit card numbers and expiration dates, but not CVV2 numbers [the 3-digit security code]” comments Klein. He also repeats a claim from the author: “The spyware is not detected by anti-virus programs.” It is a claim often made but not necessarily always valid. “Any professional cybercriminal,” Luis Corrons of PandaLabs told Infosecurity, “will use a VirusTotal-kind of system (not VirusTotal itself, as they share the samples with antivirus vendors) to avoid any signature detection, and will change the binary as many times as needed to avoid detection before they release the Trojan.” Sometimes this claim really means that the malware wasn’t detected yesterday; but that doesn’t mean it isn’t detected today.
Furthermore, added Corrons, “there are a number of different ways to detect malware. Signatures are the oldest and not the most important one. There is no single relevant antivirus software that only relies on signatures – most of them use protection at different layers, such as behavior blocking, cloud, reputation...”
“As we have mentioned in recent posts, criminals are increasingly expanding the focus of their attacks from online banking targets to enterprises,” writes Klein. That’s true, says Corrons: “If you infect an individual you can steal his identity. If you infect an enterprise you can steal all of his customers' identities – look at Sony.” One of the reasons for this shift, suggests Klein, is the increasing prevalence of BYOD. But neither Corrons nor ESET’s David Harley think BYOD is too relevant in this instance.
“There are ?better? methods to infect a specific computer, such as a spear phishing attack,” said Corrons.
“It’s not clear to me what the infection vector is,” Harley told Infosecurity, “but I’d hope that in general, hotels are fairly careful about allowing staff access to front desk computers.” Having said that, he pointed to his own experiences that could be used to socially engineer a front desk manager: “There have been occasions where a hotel with no business centre or no public Windows terminal and printer has accepted a pen drive from me so that they can print a document for me. Obviously, that’s a potential vector...”