Attackers are increasingly targeting computers in hotel business centers to steal sensitive information, the US Secret Service has warned.

A law enforcement task force arrested members of a criminal gang who allegedly installed keylogger malware on computers in several Dallas/Fort Worth area hotels, according to an advisory obtained by security writer Brian Krebs this week. The advisory appears to have been distributed to companies in the hospitality industry on July 10, Krebs said.

“The suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software,” according to the advisory, which is available on the Krebs on Security site.

The malware then captured everything typed by hotel guests using the computers in the business center and emailed the information to the attackers. The attackers appear to have stolen guests’ “personally identifiable information (PII), login credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers,” according to the advisory.

“That’s bad news if you’re away on holiday and need to use the internet to book outings or communicate with your family back home, and it’s bad news if you’re travelling on business and need to keep in touch with head office,” said security writer Graham Cluley on the Hot for Security blog.

The advisory recommended that hotels lock down the computers to not run with Administrator privileges (always good advice), but in this case won’t be sufficient, as Krebs and other security experts warned, as many modern keyloggers can be installed with just user privileges.

“The next hotel business center you visit may be completely locked down and secure, or it could be wide open and totally overrun with malware,” and there is no easy way for the guest to know for sure, Krebs wrote. People should not be using public terminals for anything more than browsing the Web—if users on the road need to print something (say boarding passes for a flight), it’s best to create a throwaway email address and forward the information to that before logging in via the public computer, Krebs said. That way the main email account remains safe.

“It’s easy to imagine how such a booby-trapped computer might outwit a holiday maker, or could even be used in targeted attacks if a particular business conference was being held at the hotel,” Cluley said.

Leave a Reply