hotel malware
November 11, 2014

Luxury Hotel Guests Targeted By ‘Darkhotel’ Malware

John Hopton for redOrbit.com - Your Universe Online

Luxury hotels have been the target of a hack called “Darkhotel,” in which the private data of business executives and other high profile guests is being obtained through hotels Wi-Fi connections.

The security research firm Kaspersky Lab, who revealed the problem, said that it has been going on possibly since as early as 2007 and concerns mainly, but not exclusively, hotels in Russia and Asia.

Japan, Taiwan, China, Russia and South Korea are thought to be the primary centers of the hacking operation, although no specific hotels are named.

Guests log on to the hotels’ Wi-Fi systems using their surname and room number, and are then unwittingly encouraged by the hackers to download what Kaspersky Lab refers to as a “welcome package” posing as updates for legitimate software such as Google Toolbar, Adobe Flash or Windows Messenger. Once the guests have downloaded, hackers can infect computers with keyloggers, Trojans and other software which enables them to steal passwords, record keystrokes and obtain private data. After the required information is collected, all trace of the hack is removed and the guests log off without ever having noticed a problem.

Kaspersky Lab explains that Darkhotel, “has lurked in the shadows for at least four years while stealing sensitive data from selected corporate executives travelling abroad. Darkhotel hits its targets while they are staying in luxury hotels. The crew never goes after the same target twice; they perform operations with surgical precision, getting all the valuable data they can from the first contact, deleting traces of their work and melting into the background to await the next high profile individual.”

As well as exposing cached passwords in Firefox, Chrome and Internet Explorer - and login details for Gmail Notifier, Twitter, Facebook, Yahoo! and Google - high profile guests have had sensitive corporate information stolen, and the hackers can even gain access to company networks. Kaspersky Lab lists recent victims as “top executives from the US and Asia doing business and investing in the APAC region: CEOs, senior vice presidents, sales and marketing directors and top R&D staff.” High profile representatives of non-governmental organizations (NGOs) have also been targeted.

Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab, said: “For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior. This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”

Along with these pinpointed attacks, Darkhotel malware has been spread indiscriminately. "The mix of both targeted and indiscriminate attacks is becoming more and more common in the APT (Advanced Packaging Tool) scene," said Baumgartner. "Targeted attacks are used to compromise high-profile victims and botnet-style operations are used for mass surveillance or performing other tasks such as DDoSing (distributed denial-of-service attacking) hostile parties or simply upgrading interesting victims to more sophisticated espionage tools."

Kaspersky Lab’s advice to protect against Darkhotel as much as possible is to remember that when traveling, any network, even semi-private ones in hotels, should be viewed as potentially dangerous, and to:

- Choose a Virtual Private Network (VPN) provider – you will get an encrypted communication channel when accessing public or semi-public Wi-Fi;

- When traveling, always regard software updates as suspicious. Confirm that the proposed update installer is signed by the appropriate vendor.

- Make sure your Internet security solution includes proactive defense against new threats rather than just basic antivirus protection.

No specific companies have been named as potential victims, but around 90 percent of Darkhotel infections have been identified in Japan, Taiwan, China, Russia and South Korea, with other areas of concern being the United States, the United Arab Emirates, Singapore, Kazakhstan, South Korea, the Philippines, Hong Kong, India, Indonesia, Germany, Ireland, Mexico, Belgium, Serbia, Lebanon, Pakistan, Greece, Italy, and potentially more.

-----

Follow redOrbit on Twitter, Facebook and Pinterest.