Hotels represent rich pickings for cyber criminals. There's the potential to steal information from large numbers of customers with consequent financial gains.
Researchers at Panda Security have issued a report showing the major attacks targeted against hotel chains in 2015.
These attacks are against chains of all sizes and have resulted in the theft of credit card data from thousands of customers. In many cases this has been carried out using malware-infected POS terminals. In a recent instance spear phishing has been used to target one of Panda's Adaptive Defense 360 luxury hotel clients.
"We know that, in most cases, these types of attacks are initiated through an email with an attached file that compromises the victim's computer, or a link to a page that uses vulnerabilities to achieve the attacker’s objective," says Luis Corrons, Technical Director of PandaLabs. "In our client's case, the attack began with an email message addressed to a hotel employee stating the attachment provided all the information needed to pay for a hotel stay at the end of May 2016".
This type of attack is hard to detect as the threats are created specifically for a victim and they always ensure that the malware is not detected by signatures or the proactive technologies of current anti-malware solutions. Having successfully snared a victim the criminals then move laterally to reach their ultimate goal, the point-of-sale terminals that process credit card payments.
More details of how hotels and other companies can protect themselves against this type of attack is available on the Panda Adaptive Defense website. There's a summary of the extent of recent hotel attacks in the infographic below with more detail available to download as a PDF.
Meantime, if you've stayed in a hotel recently you might want to keep a close eye on your payment card statements.