We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Computer Trojan horse steals credit card details from hotel reception software

A remote access Trojan horse (RAT) that targets hotel point-of-sale software is being advertised on underground forums

A remote access computer Trojan (RAT) designed to steal credit card details from hotel point-of-sale (PoS) applications is being sold on the underground forums, researchers from security firm Trusteer said in a blog post on Wednesday.

Trusteer security researchers found an advertisement on a black market forum for a custom RAT designed to infect hotel front desk computers and steal customer credit card and billing information.

The seller was offering the computer Trojan, together with instructions on how to trick hotel front desk managers into installing it on their computers, for US$280. The seller also claimed that the malware won't be detected by any antivirus program when it's delivered to the buyer.

Malware writers often repackage their malicious installers with new algorithms in order to evade signature-based antivirus detection, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor BitDefender.

The repackaged samples can then be delivered via email or instant messaging without being stopped at the network perimeter. However, if an antivirus product with strong heuristic and behavioral detection capabilities is running on the targeted systems, the malware should be blocked at execution time, Botezatu said via e-mail.

The hotel RAT's seller specified in the ad that the malware doesn't collect card security numbers, also known as CVV or CID, but this doesn't necessarily make the rest of the stolen information less useful to cybercriminals.

Some merchants are allowed to charge cards without the CVV details, especially in the U.S., Botezatu said. However, even if that wasn't the case, the data can still be used to phish the security codes from the card owners themselves or to search for the codes in existing data dumps that resulted from older phishing attacks, he said.

Most remote access computer Trojans have the capability to take screenshots, record keystrokes, download/upload files and execute arbitrary code, which makes them suitable for many types of cybercriminal operations.

The hotel RAT advertisement included screenshots of a particular PoS application, but its functionality might not be restricted to that specific program.

"The strength of RATs is their generic nature -- they can be used to attack many different applications in use by many industries," said Amit Klein, Trusteer's chief technology officer. "We've seen RATs used against internal applications, banking applications, defense industries, etc."

Hotels typically have a limited IT staff or knowledge of malware and they handle a large number of credit cards on a daily basis, which makes them a perfect target, said Yaron Dycian, Trusteer's vice president of products, via email.

The fact that the RAT's creator decided to target the hospitality industry is consistent with a recently observed change in the focus of cybercriminals -- an expansion from online banking attacks to attacks against PoS systems.

"I think the main reason for this shift, or diversification, is the fact that POS machines, and some business machines serve as 'mini repositories' where information about many victims can be collected at once," Klein said via email. "This is in contrast with consumer machines which typically expose one or two accounts."


IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model