Keyloggers in Hotels


What is a keylogger?

A Keylogger records which keys are pressed on a computer keyboard. It can be used to obtain passwords or encryption keys, and bypass other security measures.

Hardware keyloggers can be embedded in the internal PC hardware, or can be inserted between the CPU box and the keyboard cable. Adversaries must have physical access to the PC, something easy in computers that can be used from all hotel guests, or computers left in hotel rooms (from guests that believe that nobody knows their password, so nobody could have access to their systems and data).

Keylogging hardware includes recording devices that look like a USB drive, and gadgets that can record the Bluetooth communication between a wireless keyboard and a computer.

Software keyloggers are easy to install on victims’ devices. They do not harm the infected computers, but they are work behind the scenes, capturing all keystrokes while the computers continue to operate normally. Phishing and social engineering attacks are often effective, and websites with useful or free programs and applications are often bundled with keyloggers.

By clicking a link or downloading an attachment in a phishing email, text message, instant message, or social media post, or by downloading a legitimate file or application, you can accidentally download malware that tracks keystrokes. Keyloggers can also infect our systems when we connect it to an already-infected device or system, or open emails with attachments from trusted but infected sources.

Keyloggers can even log clipboard text, record information that users cut and paste from other documents, track activity like opening folders, documents, and applications, take and record screenshots, and of course can grab all codes and passwords.

Keylogging and screen-grabbing malware is a very effective attack vector in hotels, as it infects endpoint devices to gain access to networks. Attackers have full access to everything the user enters at the keyboard or displays in a local application.

Keyloggers can send the information they harvest over the internet to the persons that control them, sometimes encrypting or disguising the data sent.


How can keyloggers be legal?

Commercial keyloggers are sold to parents who wish to monitor their children's online activities, something that is generally considered legal if the parents own the computers being monitored.

There are keyloggers on computers in schools and offices, something that in many jurisdictions is legal if it is used for legal purposes.



Keylogger Malware in Hotel Business Centers, from the US Homeland Security, in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC) and the United States Secret Service (USSS).

The United States Secret Service (USSS) has investigated incidents where malicious actors installed keylogger malware via publicly accessible hotel business center computers. This advisory provides additional information about the campaign as well as recommendations to stakeholders in the hospitality sector to both better secure publicly available computers and advise end users of the risk they accept when accessing these machines.


Summary

As data breaches continue to result in devastating consequences for individual victims and often high reputational and financial risk for the entities that were breached, it’s important to understand the balance of risk and convenience that your organization has chosen.

Analysis from companies like Symantec, Trustwave and Verizon all reveal that data breaches have increased at an alarming rate since at least 2011. Unfortunately many of the reports state that malicious actors have targeted the Hospitality subsector over most others in that time frame.

The following is an advisory for owners, managers and stakeholders in the hospitality industry, which highlights recent data breaches uncovered by the USSS.

The attacks were not sophisticated, requiring little technical skill, and did not involve the exploit of vulnerabilities in browsers, operating systems or other software. The malicious actors were able to utilize a low cost, high impact strategy to access a physical system, stealing sensitive data from hotels and subsequently their guest’s information.

The NCCIC and the USSS have provided some recommendations at the end of this document that may help prevent similar attacks on publicly available computers.


Threat

The USSS North Texas Electronic Crimes Task Force recently arrested suspects who have compromised computers within several major hotel business centers in the Dallas/Fort areas.

In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software.

The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts.

The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.

The USSS recommends that hotels in the area be on alert and take immediate action to determine if their business center computers have been infected by similar malware and to conduct a risk assessment of their publicly accessible machines.

Although these specific breaches occurred outside of the hotel’s enterprise system and the malicious activity was contained to stand-alone computers with segmented internet access, this type of exposure to patron data can result in significant impacts to consumer confidence, brand reputation and in some cases legal or financial liabilities.

This particular type of criminal activity highlights the importance of the need for physical and network security to work together as they are dependent on each other.

Physical events can have cyber (logical data flow) consequences and cyber events can have physical consequences. As a dual mission agency, the United States Secret Service has long recognized the importance of this methodology in its Protective mission of protecting people and events.

The USSS Critical System Protection methodology focuses on both the physical and local (cyber) assessment of events and has recognized that to be truly effective in protecting any system, you must establish, monitor and maintain control over both the physical and logical access of your assets.


Recommendations

The NCCIC and the USSS North Texas Electronic Crimes Task Force recommend that hotel managers, owners and other hospitality industry stakeholders consider contacting their network administrators to request that:

• A banner be displayed to users when logging onto business center computers; this should include warnings that highlight the risks of using publicly accessible machines.

• Individual unique log on credentials be generated for access to both business center computers and Wi-Fi; this may deter individuals who are not guests from logging in.

• All accounts be given least privilege accesses; for example, guests logging in with the supplied user ID and password should not be able to download, install, uninstall, or save files whereas one authorized employee may have a need for those privileges to carry out daily duties.

• Virtual local area networks (VLANs) are made available for all users, which will inhibit attackers from using their computer to imitate the hotel’s main server.

• All new devices are scanned (e.g. USB drives and other removable media) before they are attached to the computer and network; disabling the Auto run feature will also prevent removable media from opening automatically.

• Predetermined time limits are established for active and non-active guest and employee sessions.

• Safe defaults are selected in the browsers available on the business center desktops (e.g. Internet Explorer, Mozilla Firefox). Options such as private browsing and ‘do not track’ for passwords and websites are some of the many available.


Cyber Risk GmbH, some of our clients