Threat actors have increasingly targeted the hospitality industry in recent years, as organizations in this sector have expansive databases of customers’ personally identifiable information (PII) and numerous access points like software systems, third-party vendors, and high staff turnover resulting in employees who lack cybersecurity knowledge. To help organizations in the industry – which includes hotels, casinos, resorts, and other travel-related businesses – understand and identify the potential threats they may face, we published the Gaming, Leisure and Hospitality Industry Cyber Threat Report (March 2019).
IntSights continuously monitors and captures hundreds of thousands of forum posts across the dark web and various hacker channels to spot indications of attack and new threats for our customers. Here are some of the most common vectors used to target the hospitality industry.
1. POS Systems
Threat actors find point of sale (POS) systems to be the most direct route to credit card information and financial gains. These systems are often configured improperly, with weak passwords and/or insecure remote access, opening the door for cybercriminals to easily infect them with card-skimming malware. The problem is compounded by the fact that hotels typically delegate their POS security to third-party vendors, offering threat actors yet another potential attack vector. Hotel POS systems are complex because they have multiple POS terminal locations – front desk, on-site shops, spas, restaurants, parking etc. – and thus the possible entry points are dispersed and more accessible.
2. Spear Phishing
Cybercriminals commonly use spear phishing attacks – which are essentially targeted phishing campaigns – to enter hotel networks. “Phishers” call the targeted hotel, pretending that they have been unable to make a reservation on the hotel’s website. The phisher then asks to email their personal details to the unsuspecting employee on the line, and follows up with a message containing a malicious file. After the employee opens the file, the hacker has an entry point into the hotel network.
3. Wi-Fi Networks
Every hotel offers Wi-Fi – it has become a necessary component of ensuring quality guest experiences. Unfortunately, this has opened yet another vector for hackers to infiltrate, as public Wi-Fi networks have fewer security levels than private networks. And many attacks on hotel systems are made possible by human error – for example, if an unaware hotel employee configures a secured network as “open,” they have effectively created a rogue access point (AP). Cybercriminals can use this rogue AP to attack the network from the hotel lobby or even a nearby building.
Another example of a Wi-Fi network attack is an “evil twin AP.” which is simply a fraudulent AP that is disguised to appear legitimate. Hackers create fake networks with similar names to entice employees and guests alike into connecting to the evil twin, opening the door to the user’s device. Then, they can introduce malware, hijack data, steal passwords, and more.
After penetrating a hotel’s system and installing malware, hackers can hijack its data until the hotel pays a ransom, typically in Bitcoin or some other cryptocurrency. Ransomware attacks are common in many industries, but cybercriminals have found them to be particularly lucrative in the hospitality industry due to the ease of network access and hotels’ reliance on functioning databases to operate. By holding a hotel’s systems hostage and limiting its ability to function normally, hackers can create significant leverage when negotiating a ransom fee, making ransomware one of the more effective and lucrative attack methods.
5. DDoS and Botnets
Distributed Denial-of-Service (DDoS) attacks can shut down a hotel’s online booking and billing systems or even its official website. While a DDoS attack can impede a hotel’s ability to operate normally, they are often used as distractions to hide other attacks, like data theft. Meanwhile, botnet attacks are more common in the hospitality industry than any other. Hackers use botnets of compromised networks to flood critical systems with traffic, crashing those systems and shutting down a wide variety of devices that are managed by computers – CCTVs, sprinklers, HVAC systems, etc. These devices can then be used to send pulses to other systems on the infrastructure and disable them.
6. Internet of Things
Hotels and resorts were early adopters of internet of things (IoT) technology solutions to help automate and streamline ordinary guest experience activities. This includes thermostats that adjust temperatures based on a guest’s preferences, minibar consumption tracking, and remote check-in/out or room service from mobile devices. While these innovations have improved hotel operations, they have also left hotel networks exposed due to their insufficient security configurations. Many IoT devices are built by companies that lack knowledge about network security requirements, opening the door for hackers to take advantage and infiltrate.
For example, cybercriminals breached an IoT-connected (a.k.a “smart”) fish tank at a North American casino in 2017. Through a vulnerability in the fish tank’s smart thermometer, the hackers were able to infiltrate the casino’s network. Once inside the network, they were able to access a database of high-roller gamblers and then pull it out of the thermometer and up to the cloud.
7. Brand Impersonation and Customers
Threat actors leverage well-known hotels’ brand presences to target unknowing loyal customers directly with impersonation schemes. This can take the form of social media impersonation, developing malicious mobile apps, posing as hotel employees online and offering special discounts, or creating fraudulent domains using the hotel’s branding. While these attacks do not directly target a hotel’s corporate systems, they can cause devastating hits to brand reputation and financial damages.
Cybercriminals target organizations in gaming, leisure, and hospitality industry at an alarming rate, and there have been several recent high-profile data breaches impacting big brands in the industry. To defend against these new attacks, hospitality organizations should take an external-focused approach to ensure they are identifying new threats at the source and taking proactive mitigation action.
Download the full Gaming, Leisure, and Hospitality Industry Cyber Threat Report (March 2019) to learn why, how, where, and when threat actors are attacking hotels, resorts, and casinos, as well as who is levying the attacks and what organizations can do to defend themselves.