Skip to content

“Inhospitality” malspam campaign targets hotel industry – Sophos News

Sophos X-Ops has issued a warning to the hospitality industry about a campaign that is targeting hotels worldwide with password-stealing malware. The attackers are using social engineering tactics to gain the trust of their targets by sending them emails about service problems or requests for information. The methodology used by the threat actors is similar to one that Sophos X-Ops previously uncovered leading up to the US federal tax filing deadline in April 2023. The initial emails contain only text but are designed to prompt a quick response from the target. Once the target responds, the threat actor sends a follow-up email with a link to what they claim is more information. The social engineering angle can be categorized into two buckets: complaints about serious issues or requests for information for a future booking. Sophos X-Ops has already briefed representatives of the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) about this attack targeting the industry during the busy holiday travel season.

The content of the emails sent by the threat actor range from allegations of violent attacks or bigoted behavior by hotel staff to claims of stolen or lost items. The emails also include requests for information about accommodations for someone with severe allergies, support for a business meeting, or accessibility within the hotel for disabled or elderly guests. Once the hotel responds to the initial inquiry, the threat actor sends a message with a link that supposedly contains documentation or evidence supporting their claims or requests. However, the link actually leads to a malicious payload wrapped in a password-protected archive file. The links point to public cloud storage services like Google Drive, and the body of the message contains a password that the recipient is prompted to use to open the archive. Some common characteristics of the emails include playing on emotions and the target’s desire to help, which is common in successful malspam campaigns.

The malware payloads themselves are designed to evade detection. The archives are password-protected, preventing casual scanning by the hosting cloud service. When unpacked, the malware has characteristics that help it elude immediate detection, such as being larger than typical executables and containing space-filler bytes. The majority of the samples have been signed with valid code-validation certificates, some of which are brand new obtained during the campaign, while others appear to be counterfeit. Some endpoint protection tools may exclude executables with valid signatures from scanning or only check for the presence of a certificate without validating it. The malware variants used in the campaign are Redline Stealer or Vidar Stealer, which are simple but effective password-stealing malware.

To mitigate the risk of falling victim to this campaign, individuals in the hospitality industry should be cautious when responding to emails that seem suspicious or contain requests for sensitive information. They should also avoid opening links or downloading files from unknown senders, especially if they are password-protected. Implementing strong security measures, including up-to-date endpoint protection and employee training on identifying and reporting phishing attempts, can help prevent successful attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *