The next time you check in to a hotel, a cybercriminal could be checking you out.
The danger doesn’t come from the concierge, or the bellhop, or the guests milling around the lobby — instead, it lurks somewhere far off, where a clever crook is looking at a screenshot of all your personal information, credit card included, he has captured right from the hotel’s check-in computer.
For sale in in underground forums, the cybercrime weapon that makes this theft possible is a remote access Trojan that infects point-of-sale terminals linked to hotels’ front desk computers, according to Amit Klein from the security firm Trusteer. After it infects the computers, the Trojan captures screenshots from the point-of-sale application used on the computer, providing the crook with your name, address, email address and, most importantly, your full credit card number and expiration date.
The particular attack package Trusteer spotted sold for $280, and came with setup instructions and tips on how to use social engineering tactics, “via VoIP software to trick front desk managers into installing the Trojan.” Even worse is that anti-virus software, Klein said, does not detect the credit-card-swiping spyware.
Why are attackers focusing their efforts on the hospitality industry? The same reason they choose any and every target: money.
“Cybercriminals are increasingly expanding the focus of their attacks from online banking targets to enterprises,” Klein wrote. “One of the reasons for this shift is that enterprise devices can yield high value digital assets when compromised.”
If there’s a silver lining to this spyware scare, it’s that, for now, the attack module Trusteer detected is unable to siphon hotel guests’ credit card verification value (CVV2), the security code, often located on the back of credit cards, used when completing transactions.
While this credit card scam seems nearly impossible to detect and prevent, you can keep your finances, and identity, in check by routinely monitoring your bank balances, and reporting any suspicious or unauthorized transactions to your bank immediately.