In recent years, the world of hospitality has increasingly found itself in the crosshairs of cybercriminals. With its greater reliance on digital systems plus masses of sensitive customer data, the industry is an attractive and highly prized target, especially by threat actors using malicious emails as their standard MO.
People are bombarded daily with enticing travel deals, reminders of reservations, and hotel account status updates. Whether it’s to steal credit card details, passport numbers, DOBs, addresses, or a host of other personally identifiable information, threat actors are taking advantage of this expected activity to exploit natural human tendencies. A desire for inexpensive travel or fears over an incorrect or mistakenly cancelled reservation can override a target’s instinct that something isn’t quite right with the email they have received.
One financially motivated threat actor tracked by Proofpoint researchers, TA558, has been targeting hospitality, travel, and related industries in Latin America, North America, and western Europe for at least the last five years. This threat actor is intriguing because they engage in smaller scale campaigns sending hundreds of emails that are geography-specific instead of widespread distribution of thousands of emails, hoping someone, somewhere will take the bait and click the accompanying link or open the malicious attachment.
TA558, which amped up its activity levels in 2022, uses emails with reservation-themed lures to drop malicious attachments or URLs aiming to distribute one of at least 15 different malware payloads, typically remote access trojans (RATs). Once inside defenses, RATs can be tasked with reconnaissance, data theft, and distribution of follow-on payloads.
There are many actors like TA558 attracted to the hospitality industry by the potential paydays on offer. For the organizations on the other side, the consequences are likely to be just as game-changing.
Yet, despite these high stakes and expectations that the industry is keeping abreast of the evolving landscape and enacting policies needed to protect against these threats, the industry has traditionally been found wanting when it comes to protecting its data, its customers – and the rest of us. Last year, 12 of the UK’s top hotel brands were found to be without the recommended level of DMARC protection, while several US chains recently received fines running into hundreds of millions of dollars for failing to adequately protect customer data.
Ultimately, there’s no room for complacency. Threat actors like TA558 are constantly engaging in new campaigns to attempt to install a variety of malware including Loda RAT, Vjw0rm, and Revenge RAT. Security teams must stay well informed of such threats to best understand the attacks they face and to build a cyber defense that’s up to the task.
The case of TA558 is indicative of the appeal of hospitality as a target and how threat actors evolve while continuing to use social engineering to coerce targets into acting on the actor’s behalf by clicking a link or opening a malicious email attachment.
In 2018, Proofpoint researchers first observed TA558 sending email campaigns typically loaded with malicious Word attachments that exploited Equation Editor vulnerabilities or remote template URLs to download and install malware. These first campaigns were conducted exclusively in Spanish and Portuguese.
Just a year later, the threat actor expanded its operation, sending macro-laden PowerPoint attachments as well as malicious Word attachments. In December of the same year, TA558 was also observed sending English language lures, casting its malicious communications to a wider audience.
And so, the evolution continued. TA558 increased its English-language operations and stopped using Equation Editor vulnerabilities in 2020, replacing them with malicious Office documents with macros to download and install malware. By 2021, malicious Microsoft documents were accompanied by more elaborate attack chains that included helper scripts and delivery mechanisms such as embedded Office documents within MSG files.
Following Microsoft’s recent announcement that it would disable macros in Office documents by default, TA558 then followed the trend of many modern threat actors and began using container files such as RAR and ISO attachments in their place.
This timeline of events is incredibly common. Threat actors will pivot to whatever works, whether that means switching payloads when old ones become defunct, expanding into new territories or tailoring lures to recent events, causes or cultural talking points.
In the face of evolving approaches like these, it is not enough to defend against generic phishing, malware or email compromise. Hospitality organizations must understand the exact types of threats they face – and the people facing them – to deliver regular, targeted and adaptive security awareness training, built to defend against the current threats of the day.
…require an evolving defense
A single travel booking, journey or hotel stay is punctuated with multiple potential cybersecurity risks. From online enquiries, booking and check-in to billing and aftersales, there are numerous points of entry for threat actors of varying skill levels looking to steal your information or insert themselves into your inbox and your network.
Like many modern cyber threats, attacks on the hospitality industry are predominantly targeted at people rather than infrastructure. Cybercriminals know from vast experience that a well-crafted email can deliver a more impressive return than many more technical and time-consuming methods.
When a single errant click or hastily downloaded attachment is all that stands between these threat actors and your valuable customer data, technical controls are just the starting point. As well as robust email, data and cloud protections, organizations must ensure that users know what to look for if – or, more likely, when – malicious communications get through perimeter defenses.
This is only possible through regular, relevant and up-to-date security awareness training that goes beyond multiple choice check boxes and jargon busting. Every user must understand the role they play in keeping precious customer and company data out of the hands of cybercriminals – and the consequences of failing to do so.
With the hospitality industry creating, accessing and storing more data by the day, it is unlikely to fall off the radar of tenacious threat actors anytime soon. And the attacks it faces will only become more targeted, more elaborate and more frequent. Only by monitoring and adapting to the threat landscape and the nature of these attacks can security teams hope to keep them at bay.