Cyber criminals: the unwanted guests checking into hotel networks

Updating your property’s cyber security systems and education staff are key to avoiding damaging cyber attacks, says Greg Sim of Glasswall Solutions.

Fancy Bear may sound like the name of a boutique hotel nestled on a picturesque mountainside, but it’s actually the moniker of one of the world’s most infamous hacking groups. Known for targeting the likes of both the US and French presidential elections as well as the World Anti-Doping Agency, Fancy Bear has recently turned its attention to hotel Wi-Fi networks.

Unsuspecting hoteliers would be right to question what they might have done to deserve this attention – if it’s simply down to poor service, would a one-star Trip Advisor review not suffice? The truth is that Fancy Bear is less interested in the organisations that run the hotels and more interested in securing unbridled access to their guests.

Hotels attract senior figures that represent all kinds of organisations, movements and causes, providing them with a comfortable location for business meetings and conferences. For the cyber criminals, being able to access those individual’s machines and devices as they log on to the hotel Wi-Fi increases the potential of opening up entire organisational networks exponentially.

Fancy Bear’s diversification is a high-profile example of an increasing, worldwide phenomenon – that of hackers targeting the hospitality and retail with malicious emails. Data breaches have been reported this year in the US at InterContinental Hotel Group, fast food chain Arby’s, gentlemen’s clothier Brooks Brothers and Kmart. In the UK, Wonga, Sports Direct, ABTA and Tesco Bank have also received unwanted attention from hackers.

Emails are the common thread
Certainly in the most recent attacks, the common element is that the initial delivery of malicious software begins with an email, often one disguised as emanating from a colleague or contact. It often only takes one or two clicks and the attack commences.

Many sources within the cyber security industry have been reporting big surges in these email-based attacks, with a malicious payload often hidden in attachments. Symantec reported that the rate of infection among emails was one in 359 in July this year, compared with one in 451 in June. Another security vendor reports a 250 per cent increase in campaigns using emails with malicious payloads in the second quarter of this year, with a marked increase in the use of attachments rather than links and much greater variety in the types of malware. These attacks, once successful, have involved the theft of email details so that more spam emails are created to further spread the malicious software.

Where retail and hospitality organisations are targeted, most cyber criminals seek to steal customers’ payment card and personal details with a view to extracting cash in one way or another. Retailers in particular have ever-growing volumes of data about individual customers that are built up through sophisticated loyalty schemes. Being the banking arm of a major retailer, Tesco Bank, for example, was a very attractive target, having not just the details of its customers, but also their money. When it was breached in 2016, some 40,000 accounts were affected and money was stolen from 20,000 customers.

Fancy Bear, also known as APT28, appears more intent on disruption, however. Once its emails have been opened, it uses the EternalBlue tool allegedly developed by security services in the US, allowing malware to spread itself autonomously. Throughout July, the group was very active, sending out malware hidden in emails sent to numerous companies in the hospitality sector in Europe and the Middle East.

This is not to suggest that the world’s hacking groups have voted en masse to target retail and hospitality in this year’s email campaigns. They are still interested in other organisations. So far this year attacks have been successful against HBO, stealing episodes of Game of Thrones, Curb Your Enthusiasm, Insecure, Ballers and Barry and The Deuce. Yet July was also reported to be a big month for less headline-grabbing attacks on agriculture, forestry and mining in the US.

Changing to stay the same
Tradition is good for hospitality, but bad for security. Unfortunately, many organisations have still not grasped the nettle of email security, failing to understand that the file-types used every day to share important information – standard files like Word docs, Excel spreadsheets and PDFs – are also the most common attack vectors widely used for the distribution of malware. They also continue to believe that providing traditional border security including firewall, anti-spam, anti-virus and even more recent sandboxing technologies, will suffice.

This makes it relatively easy for today’s devious minds to get inside an organisation with a spoofed email or phishing attack, using an attachment containing a piece of malicious code. With adversaries such as Fancy Bear, defences that rely on prior recognition of a threat’s signature will be bound to fail. Hacking groups such as these are highly resourceful people who constantly refine and adapt their tools to slip unnoticed past defences vainly searching for what was a threat last year or last month.

With email utterly essential to business, it is up to organisations to adopt technologies that are more appropriate to the new era of fast-evolving, sophisticated attacks and which do not rely on the prior identification of threat signatures. Yet businesses must also educate employees and instil best practice procedures. It is the combination of smarter technology and smarter employees that will help ensure Fancy Bear and Co do not find a warm welcome inside the hospitality and retail industries.

Be in the know.

Subscribe to our newsletter »