Hybrid and Cyber Risks | Hospitality Industry | Hotel Keyloggers

What is a keylogger?

A keylogger is hardware or software designed to monitor and record keystrokes entered on a computer, terminal, or input interface. Technically, a keylogger intercepts input signals before they reach the operating system or application layer, capturing text such as passwords, messages, authentication tokens, and other typed data. More sophisticated keylogger variants extend well beyond keystroke capture. They are engineered to bypass detection, and to capture screenshots.

From a legal perspective, a keylogger is a surveillance and interception tool whose use constitutes unauthorized access, unlawful interception, or a violation of privacy and data protection laws, depending on jurisdiction and context. When installed without the knowledge and consent of the system owner or data subjects, a keylogger typically falls within the scope of criminal computer misuse statutes, unlawful wiretapping or interception laws, privacy and data protection regulations, and in some jurisdictions, espionage or anti-surveillance legislation. In employment settings, even authorized monitoring using keyloggers is subject to strict proportionality and transparency requirements, meaning that any monitoring must be necessary, justified, and communicated to affected individuals, with safeguards in place to prevent misuse of captured data.

Hardware keyloggers can be embedded in the internal PC hardware, or can be inserted between the CPU box and the keyboard cable. Adversaries must have physical access to the PC, something easy in computers that can be used from all hotel guests, or computers left in hotel rooms (from guests that believe that nobody knows their password, so nobody could have access to their systems and data).

Keylogging hardware includes recording devices that look like a USB drive, and gadgets that can record the Bluetooth communication between a wireless keyboard and a computer.

Software keyloggers are easy to install on victims’ devices. They do not harm the infected computers, but they are work behind the scenes, capturing all keystrokes while the computers continue to operate normally. Phishing and social engineering attacks are often effective, and websites with useful or free programs and applications are often bundled with keyloggers.

By clicking a link or downloading an attachment in a phishing email, text message, instant message, or social media post, or by downloading a legitimate file or application, we can accidentally download malware that tracks keystrokes. Keyloggers can also infect our system when we connect it to an already infected device or system, or open emails with attachments from trusted but infected sources.

Why are keyloggers so important for hybrid actors?

Keyloggers convert ordinary human interactions into a persistent, high-fidelity intelligence stream that can be exploited across technical, physical, legal, and psychological domains. Hybrid adversaries seek durable situational awareness, precise timing, and the ability to manipulate decisions and behaviours. A keylogger supplies exactly that. It records credentials, communications, and contextual detail about actions taken on a device, and it does so in a way that can be assembled, replayed, and cross-referenced with other data sources.

Keyloggers also provide hybrid actors with plausible deniability and low-attribution options. Hardware implants can be introduced during supply-chain operations or disguised as routine maintenance, and sophisticated software implants can masquerade as legitimate services or signed drivers, allowing prolonged, covert collection. For state-linked adversaries that wish to avoid escalation, the covert nature of keystroke surveillance is strategically valuable.

In hotels, where front-desk terminals, self-check-in kiosks, concierge machines, back-office workstations, and legacy point-of-sale systems process personal data, payment information, and access credentials around the clock, keyloggers are particularly effective at harvesting the assets that attract both criminals and state-grade adversaries.

Insider risk amplifies the technical threat vectors. High staff turnover, temporary contractors, and routine physical access to public-facing terminals create opportunities for insertion of hardware keyloggers, or for the installation of malware by someone with legitimate access.

---

Keylogger Malware in Hotel Business Centers, from the US Homeland Security, in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC) and the United States Secret Service (USSS).

The United States Secret Service (USSS) has investigated incidents where malicious actors installed keylogger malware via publicly accessible hotel business center computers. This advisory provides additional information about the campaign as well as recommendations to stakeholders in the hospitality sector to both better secure publicly available computers and advise end users of the risk they accept when accessing these machines.

Summary

As data breaches continue to result in devastating consequences for individual victims and often high reputational and financial risk for the entities that were breached, it’s important to understand the balance of risk and convenience that your organization has chosen.

Analysis from companies like Symantec, Trustwave and Verizon all reveal that data breaches have increased at an alarming rate since at least 2011. Unfortunately many of the reports state that malicious actors have targeted the Hospitality subsector over most others in that time frame.

The following is an advisory for owners, managers and stakeholders in the hospitality industry, which highlights recent data breaches uncovered by the USSS.

The attacks were not sophisticated, requiring little technical skill, and did not involve the exploit of vulnerabilities in browsers, operating systems or other software. The malicious actors were able to utilize a low cost, high impact strategy to access a physical system, stealing sensitive data from hotels and subsequently their guest’s information.

The NCCIC and the USSS have provided some recommendations at the end of this document that may help prevent similar attacks on publicly available computers.

Threat

The USSS North Texas Electronic Crimes Task Force recently arrested suspects who have compromised computers within several major hotel business centers in the Dallas/Fort areas.

In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software.

The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts.

The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.

The USSS recommends that hotels in the area be on alert and take immediate action to determine if their business center computers have been infected by similar malware and to conduct a risk assessment of their publicly accessible machines.

Although these specific breaches occurred outside of the hotel’s enterprise system and the malicious activity was contained to stand-alone computers with segmented internet access, this type of exposure to patron data can result in significant impacts to consumer confidence, brand reputation and in some cases legal or financial liabilities.

This particular type of criminal activity highlights the importance of the need for physical and network security to work together as they are dependent on each other.

Physical events can have cyber (logical data flow) consequences and cyber events can have physical consequences. As a dual mission agency, the United States Secret Service has long recognized the importance of this methodology in its Protective mission of protecting people and events.

The USSS Critical System Protection methodology focuses on both the physical and local (cyber) assessment of events and has recognized that to be truly effective in protecting any system, you must establish, monitor and maintain control over both the physical and logical access of your assets.

Recommendations

The NCCIC and the USSS North Texas Electronic Crimes Task Force recommend that hotel managers, owners and other hospitality industry stakeholders consider contacting their network administrators to request that:

• A banner be displayed to users when logging onto business center computers; this should include warnings that highlight the risks of using publicly accessible machines.

• Individual unique log on credentials be generated for access to both business center computers and Wi-Fi; this may deter individuals who are not guests from logging in.

• All accounts be given least privilege accesses; for example, guests logging in with the supplied user ID and password should not be able to download, install, uninstall, or save files whereas one authorized employee may have a need for those privileges to carry out daily duties.

• Virtual local area networks (VLANs) are made available for all users, which will inhibit attackers from using their computer to imitate the hotel’s main server.

• All new devices are scanned (e.g. USB drives and other removable media) before they are attached to the computer and network; disabling the Auto run feature will also prevent removable media from opening automatically.

• Predetermined time limits are established for active and non-active guest and employee sessions.

• Safe defaults are selected in the browsers available on the business center desktops (e.g. Internet Explorer, Mozilla Firefox). Options such as private browsing and ‘do not track’ for passwords and websites are some of the many available.

---