This malware is compromising Thailand-based hotels to steal credit card details

RevengeHotels cybercriminals sell off the skimmed credit card data along with users credentials of the hotel admins on the dark web

A new cybercrime malware is doing the rounds in Thailand hotels wreaking havoc on the country's lucrative tourism and hospitality industry. The malware campaign is also rampant in many other countries including Argentina, India, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, and Turkey.

However, the biggest victim of RevengeHotels malware for now is Brazil, where the front desk in as many as 20 hotels has been reportedly compromised to skim customer's credit card data. The malware is also effectively looting credit card data via major online travel agencies, including Booking dot com.

How RevengeHotels work?

According to an analysis by cybersecurity major Kaspersky, the malware victimizes through phishing emails with attachments such as PDF, Word or Excel documents. Once someone opens the malicious document, the malware exploits a vulnerability (CVE-2017-0199), to execute VBScript or PowerShell and install a customized version of malware including RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT to name a few.

To convince the front desk hotel employees, the spear-phishing email camouflage as quotation request for a large number of guests. The email impersonates any Government organization or large Enterprise. Kaspersky claimed to found out the cybercriminal groups targeting the hospitality sector using the same tools and techniques, and prefer social engineering techniques to launch spear-phishing attacks.

An-email-sent-to-a-hotel-supposedly-from-an-attorneys-office
The email written in Portugese was sent to a hotel supposedly from an attorneys office

For example, the email in the above screengrab is written in Portuguese. It pretends to arrive from a real-life attorney office. The email comes with two attachments -- a copy of National Registry of Legal Entities card (CNPJ) and a malicious word file that would compromise the victims' machine once opened.

RevengeHotels cybercriminals sell off the skimmed credit card data along with users credentials of the hotel admins on the dark web.

criminals-as-a-service
credit card details is old-by criminals-as-a-service Kaspersky labs

Most of the victims of RevengeHotels malware are associated with the hospitality sector around the world.

Kaspersky's Advise

To stay safe from such destructive attacks, Kaspersky has suggested the users' shouldn't pay directly via Credit card. Instead, they can use virtual wallet apps like Google Pay or Apple Pay, for instance.

RevengeHotels malware
RevengeHotels malware is targeting hotel chains in Thailand, Argentina, Bolivia, Brazil, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey Screengrab/IBT SG
READ MORE