Over the last few years, hotels have often been a target of cyber criminals. Their databases contain a treasure trove of information that can be very useful on the black market for identity fraud including names, passport or driver’s license numbers, addresses and payment details. Bad actors have numerous ways they try to trick hotel employees into providing them with access to these databases. For example, last year there was a “significant cybercrime campaign targeting hotel front desk systems,” says Steve Tcherchian, Chief Information Security Officer, XYPRO. Why? Because “Front desks are often the busiest part of a hotel, [and] the front desks job is to help people as quickly as effectively as possible, so security ends up being an afterthought.”
Criminals sent targeted phishing messages that looked like an invoice for a service or a reservation request for a large group. When opened, the attachment installed a malicious payload on the front desk computer allowing the hacker to take over the system and access every part of the hotel system that the front desk had access to, he explains.
“By some accounts, upwards of 20 different hotels fell victim to this attack,” Tcherchian adds.
With the spread of COVID-19, criminals have an even larger group of distracted hospitality professionals to target. Staff are distracted by spouses, kids and pets while working from home – making them more likely to forget or ignore security basics. And all Americans are beset by fear, doubt and a sense of urgency due to the COVID-19 pandemic. These are emotions that that cybercriminals prey upon to encourage poor decision making such as clicking on virus-laden emails, inputting login credentials without first carefully checking website URLs, or divulging other forms of private information.
“It was not long before hackers started exploiting global fears about the coronavirus outbreak,” says Atif Mushtaq, CEO of anti-phishing firm SlashNext. “These hackers have sensed an opening since the World Health Organization declared the rapid worldwide spread of coronavirus to be an international public health emergency. For cyber criminals, such a potential worldwide pandemic is the best kind of news story because it creates an opportunity to take advantage of public fears and anxieties.”
In fact, according to Barracuda Networks there were 137 coronavirus-related spear-phishing attacks in January 2020. In February that number rose to 1,188 and between March 1 and March 23 the number escalated to 9,116 attacks. This represents a 667% increase since the end of February.
In addition to the fear and anxiety, many within the hotel and restaurant industry have experienced drastic cuts to their teams due to downsizing. This often means that they’re taking on additional roles and responsibilities.
“This increased pace of business, augmented by a distracted psyche, may make an ordinarily very astute and cautious employee click on something simply because they’re rushing to get through 200 emails instead of 75, or because they’re otherwise distracted,” said Kristen Menard, Director of Managed Security Services at Claro Enterprise Solutions, an IT service provider.
The Work from Home Factor
Unfortunately, the common mandate across the United States for employees to work from home when possible has only improved bad actors’ chances of being successful. How so? Employees often do not realize that working remotely puts them outside their company’s network security perimeter, without access to the normal anti-phishing defenses it provides, Mushtaq adds. This is especially true for workers who rely on mobile devices because small screen sizes and information formats hide important clues and full URLs.
In fact, research suggests that users are three times more likely to click on a malicious URL on a mobile device be it delivered through SMS, social messaging or email, compared to email on a desktop or laptop computer, says Christoph Hebeisen, Director, Security Intelligence Research at Lookout.
For this reason, hotel staff members should be especially diligent during this time and have a healthy distrust of digital communications or any unusual requests, whether they come via emails or other means. They should also be reminded to use any security training and best practices they’ve been taught to spot phishing threats before providing credentials or sensitive data, Mushtaq notes.
Working from home also means that many employees are using collaboration tools they’re not familiar with to share files – sometimes with sensitive data – with colleagues, says Maor Hizkiev, Co-Founder and CTO at BitDam. These types of tools include Microsoft Team, Slack, Google Hangouts and Zoom. However, employees are not necessarily taking the required precautions to ensure the data being shared across these applications is safe.
“These services are extremely helpful to get work done, but they also provide a whole new attack surface to attackers that needs protection,” Hizkiev adds. “Sharing links or files across these collaboration channels with customers, business partners, vendors or any other stakeholders could be risky and endanger the entire organization with a ransomware or data breach.”
What’s an IT department to do?
According to Heather Paunet, Vice President of Product Management at Untangle, IT departments and key leadership members need to determine and outline business-critical applications and functions that need to be accessed outside of the office. For example, human resources and finance departments might use specific software to process payments or maintain employee records. Accessing these programs outside the office can be done, but IT teams should ensure additional security precautions are put in place which include secure VPN logins and two-factor authentication. Additionally, IT departments should proactively review which files are accessible to which employees, especially those files that contain sensitive data, and then update permissions and ensure that only those who need access to certain files have it.
“For example, the front desk concierge at a hotel should be able to confirm full guest information, but staff working in the adjacent spa do not need this same access,” Paunet says.
As a matter of best practice, IT departments should insist work-from-home employees take a refresher course in basic cybersecurity awareness, notes A.N. Ananth, Chief Strategy Officer at Netsurion. Companies also should provide their own unique guidelines about connecting to their network via VPN or other specific instructions.
IT departments can also make risk-assessments of remote workers’ computing setups, take inventory of devices attaching to the office network, ensure device security (multifactor authentications, mandated antivirus etc.), and implement a zero-trust approach, says Swapnil Pitale, Global Practice Head - Intelligent RPA & Cognitive, at LTI. Intelligent Automation (IA) can play a vital role here especially in automating areas where there could be a Data breach and Data Leakage (by automating tasks around Data Collection, Data Analytics, Automated Reporting, False Positives and many more). IA use cases could also be leveraged to ensure adherence to security regulations and compliance.
IT staff could also invest in an advanced endpoint protection solution – these significantly aid IT security teams in detection and response, says Harrison Van Riper, Threat Research, Team Lead at Digital Shadows. They can also implement extensive use of VPNs with an always-on model – so that each users’ device must be connected to the designated VPN to access any company resource – to help reduce man-in-the-middle attacks.
Identity access controls should also be augmented to mitigate the impact of lost or stolen credentials, Van Riper adds. Digital Shadows recommends multi-factor authentication for access to every corporate resource.
DON’T FORGET ABOUT INTERNAL DEFENSES
While focusing on external defenses is always important, Michael Bruemmer, Vice President of Data Breach Resolution and Consumer Protection at Experian, urges IT departments to also shore up internal defenses.
“Often, organizations get too focused on the external portion of a security defense program,” he explains. “However, once a cybercriminal gets inside the system the rest of the fences are too soft. So it is easy for the thieves to wreak havoc from that point.”
This is especially important as Bruemmer notes that hackers are taking a very long-range view of exploiting businesses during the pandemic.
“They are being more patient than ever and infiltrating systems and then just remaining ‘hidden,’” he adds. “They are taking time to do this across all industries that are being affected by the pandemic. As soon as we get the ‘back to normal’ order, businesses are going to focus on everything else to get back on track. Cybersecurity may not be a top priority, and then the hackers will spur into action.”
For this reason, Experian recommends that all organizations have a strong monitoring capability “on the inside” to provide alerts to intrusion. And if a cybercriminal is able to make it past perimeter defenses, there still needs to be more hurdles for them to overcome to actually steal data and cause disruption.
Sophisticated IT departments may even try out “deception grids” which are tools that set up fake systems, Bruemmer says. If a criminal is able to make it past the perimeter defenses, it offers them multiple systems to have to navigate without the criminal being able to tell which are real and which are fake. And if a company is alerted to an intrusion in the fake system, they’ll gain a better understanding of how to manage the incident and how to safeguard real data from being exposed or stolen.
Employers should educate employees that phishing scams (email) are not the only way cyber criminals try to steal information from employees. Smishing (text messages) and vishing (phone) are also common methods used. So what type of messaging is being used now, amid the COVID-19 pandemic?
Emails impersonating legitimate public health authorities, businesses.
When cyber criminals use this tactic, their emails often look to come from sources such as the World Health Organization or the U.S. Centers for Disease Control and may contain attachments that claim to educate readers on a non-existent vaccine and treatment offers, medical tests, health insurance notices or other urgent news. For example, in Italy recipients received an email containing an attachment claiming to be a list of precautions to prevent infection, however, it was actually a weaponized MS Word document infected the person’s device with malware, says Darren Guccione, CEO and co-founder of Keeper Security.
Another example of this tactic is of a phishing email that has been circulating recently disguised as a map of real-time data from the WHO. The map itself was a recreation of a real map from the Johns Hopkins Center for Systems Science and Engineering. Not only was this campaign undertaken by the creator, but the hidden malware and template itself was offered for sale to other cybercriminals on dark web forums for them to use as well, adds Harrison Van Riper, Threat Research, Team Lead at Digital Shadows.
Cybercriminals are also mirroring emails from large, reliable medical or business-related sources during this time – think insurance companies, health care facilities, and even hotels, says Heather Paunet, Vice President of Product Management at Untangle. These businesses have been sending information to customers regarding their response efforts to COVID-19 and cyber criminals will often mirror their emails and mask malware within hyperlinks in the email.
Emails impersonating business employees, executive team.
Another way criminals are trying to take advantage of the work-from-home mandate are phishing emails where a criminal infiltrates the company’s systems and impersonates a higher-ranking executive or department manager within that company in order to fraudulently request sensitive documents (e.g. W-2s or other HR paperwork) or to obtain login credentials, says Geoff Lottenberg, partner in Berger Singerman’s Fort Lauderdale office and a member of the Dispute Resolution Team. The accounts payable and receivable departments of hospitality companies are particularly prone to financial-related phishing scams. Usually the perpetrator uses his skills to convince the accounting department to send wires or ACH payments to the incorrect account.
A more targeted variant of these scams, called “whaling,” has been very prominent lately. These are impersonation scams where the perpetrator specifically targets senior-level executives to obtain extremely sensitive financial information or company trade secrets. “Whaling” scams can do a lot of damage in a short period of time, Lottenberg adds.
Employees also need to beware of clicking on malicious websites, which can be difficult since many cybercriminals are “snapping up domain names containing the phrase ‘coronavirus’ and ‘COVID-19’,” Guccione adds. For example, there is currently a website operating on the internet that contains a highly sophisticated, legitimate-appearing novel coronavirus map that contains malware.
Lookout researchers discovered an Android application called “corona live 1.1” targeting Libyan individuals, says ChristophHebeisen, Director, Security Intelligence Research at Lookout. It’s a copy of a legitimate app that provides an interface to the data found on the Johns Hopkins coronavirus tracker, but this version also includes surveillanceware from a company called SpyMax, allowing the app to access a variety of sensitive data on the phone, and even enables a shell terminal and the ability to remotely activate microphone and cameras.