Industry News

Booking a hotel this holiday season? Beware of credit-card malware targeting hotels!

Winter holidays are the perfect excuse to take your family to a nice ski resort. But take caution: cybercriminals are busy infiltrating hotel payment systems and covertly scraping credit card information from unsuspecting guests.

Hotel group Hilton is the latest victim in a line of hotels and resorts that have found their systems compromised by point-of-sale malware.

Hilton Worldwide has identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems,” the company admitted in a statement.

The breach exposed card numbers, security codes and names of people who stayed at Hilton between 18 November and 5 December in 2014, and between 21 April and 27 July this year. It affected anyone who used their credit card to buy from a gift shop and pay in coffee shops or restaurants within the Hilton Hotel and franchise properties across the United States.

How did they hack it?

It is still unknown how the attackers got access to the PoS environment. There are a variety of methods to gain access. They may have used brute-force attacks to discover weak administrator credentials. After avoiding detection and gaining access, attackers may have used RAM scraping and keylogging functionalities to collect and exfiltrate data. Especially since the cardholder’s data is not encrypted when processed at a point-of-sale terminal. This is a known flaw in payment security standards.

RAM scraping is an old attack technique that has, in recent years, been repurposed to compromise payment systems,” Bogdan Botezatu, Senior E-threat Analyst at Bitdefender says. “The malware behind it evolved into a complex and far-reaching malware family, now including socially engineered file names, bot and network functionality. It now boasts improved data exfiltration capabilities – it can search for specific strings of data that look like credit card numbers, save them to a text file and silently steal the information in a couple of seconds.”

Why PoS machines are easy targets

Most PoS breaches occur in the US, where the magnetic strip or “swipe-and-sign” system is still widely used. The magnetic stripe of the payment card holds the vast majority of the critical payment data and is broken up into three areas.


Image Source: SANS Institute

Tracks 1 and 2, which are stored in an unencrypted format, are cybercriminals’ main focus. It is this unencrypted track data that thieves attempt to steal when compromising POS devices because it contains the information necessary to create counterfeit cards or make fraudulent online purchases.

The current system requires only the buyer’s signature to authenticate a purchase. Chip-and-PIN cards (used in Europe, for instance) come with an embedded microchip and require the buyer’s PIN, making it harder for cyber-criminals to cash in on credit card fraud. That is why Europeans are a tad safer, for now.

Nonetheless, PoS malware certainly seems to be a growing problem.

News of the hack comes just four days after Starwood Hotels, which operates the Sheraton and Westin chains, announced that hackers had infected payment systems in some of its establishments, potentially leaking customer credit card data.

Other recent victims:

  • Las Vegas’s Hard Rock Hotel & Casino
  • Las Vegas Sands casino
  • Trump Hotels
  • FireKeepers Casino and Hotel

And let’s not forget that in 2014, the retail industry was responsible for the largest number of identities exposed. Driven by “America’s fastest-growing crime,” President Obama even signed an Executive Order meant to strengthen security of credit, debit and other type of payment cards.

“While there is no silver bullet to guarantee data security, the President is signing an Executive Order to implement enhanced security measures, including securing credit, debit, and other payment cards with microchips in lieu of basic magnetic strips, and PINs, such as those standard on consumer ATM cards,” the White House said.

How to protect PoS systems

Fortunately, there are several methods to protect PoS terminals.

“A point of sale system is simply a Windows PC with some devices connected to it like a slip printer, a bar code scanner and a cash drawer,” Bogdan Botezatu says. “So, protecting it with an antivirus solution for Windows is a feasible option.”

To mitigate this problem and increase immunity to breaches in 2016, businesses also need to examine their detection capabilities regularly, plus a few other essential tasks:

  • Regularly assess risks and vulnerabilities of the system.
  • Keep the operating system and any endpoint security programs up to date.
  • Secure PoS devices against software and hardware manipulation.
  • Patch vulnerabilities as soon as possible.
  • Use intrusion detection software to detect abnormal behavior on the network.

About the author

Alexandra GHEORGHE

Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers' mouse scrolls. Alexandra is also a social media enthusiast who 'likes' only what she likes and LOLs only when she laughs out loud.


Click here to post a comment
  • Interesting. I stayed in a Boston-area Hilton overnight due to my flight being canceled by the Boston Marathon bombing (April 15, 2013). I had just received a new Amex after the preceding card had been compromised. My credit card was swiped to allow for charges for minibar use, etc. but was never charged as I used nothing.There were only two other uses of the card (new number) and both were Avis rentals. Then, looking at my bill online I saw pending charges for "electrical goods" from a company in NJ.

    I called Amex but as the charges were pending they do not take immediate action. I went so far as to email the owner of the company to warn them that it was a fraudulent sale. I tried to point out to Amex that this would seem to be an "easy" fraud investigation as it was either Avis or the hotel who "leaked" (charges were almost $1000) but they just seem to accept a certain amount of hacking/fraud takes place and politely arrange for yet another new card to be delivered.