As in any industry which has a large Business-to-Consumer (B2C) component, hotels are the target for various types of data theft and attempted fraud. The following is a brief overview of the possible scenarios.
Theft of bank cards
Hotels are under increasing threat of the theft of payment card numbers at terminal level (point-of-sale attack).
- The cybercriminals first succeed in penetrating the company’s networks.
- The infection then reaches the cash registers used to receive client payments.
- Information is intercepted and exfiltrated from payment cards with outdated methods of protection (e.g. magnetic strips).
Numerous hotel chains have recently been the target of these attacks, including Hilton, Starwood, Mandarin Oriental and even Trump Collection. Although the USA is a prime target, due to the delayed adoption of cards complying with the EMV Standard, Europe has not been spared.
The Hyatt chain recently revealed that it had fallen victim to such an attack. Since last week, it has been possible to consult a list of Hyatt hotels in which payment terminals have been infected, three of which are in fact in France.
Theft of loyalty accounts
Hotel chain client accounts are another category of data which are illegally traded on the Dark Web.
Just like airlines, hotel chains offer client accounts with loyalty points and centralised reservations. The fact is, however, that the logins used to access accounts are easily exfiltrated by means of viruses that log keystrokes.
This is why we find stolen logins for this type of account on sale on the Dark Web. Such data can be used for many purposes, such as transfers of points, fraudulent reservations, etc.
Travel agencies on the Dark Web
Dark Web “travel agencies” constitute a third type of fraud affecting hotel chains. These “agencies” offer room reservations at unbeatable prices. The low prices are explained by the fact that the seller is using fraud and hacking.
The purchaser contacts the seller, specifying the hotel in which he wants to book a room. The seller deals with making the reservation and charges the service to the purchaser, generally at a price ranging from a quarter to a half of the true price per night of the room.
Many sellers boast of making bookings without using stolen payment cards (reputed to be easy for hotels to detect), preferring to use loyalty points from hacked client accounts.
This service, which is made possible by the first two types of fraud, clearly shows the degree to which the cybercriminal ecosystem is organizing itself around an increasing specialisation of the roles played by its actors.
- A whole community of workers (malware developers, infrastructure hosts, distributors-exploiters, mules, etc.) operates upstream to infect private terminals with viruses and gather the data.
- Certain cybercriminals buy wholesale stolen data for resale to semi-wholesale purchasers: some of these want payment card numbers, others want bank login data and yet others want login information for accounts with businesses such as hotels, etc.
- At the end of the chain, the buyers of the account information belonging to private individuals can make use of stolen loyalty points, for example to offer hotel room bookings.
Thus, although the community of workers on the malware side is well known to security researchers, an equally-advanced speciality seems to be emerging on the cybercrime side, which consists of making the best use of the stolen data.