Booking a hotel this holiday season? Beware of credit-card malware targeting hotels!

Winter holidays are the perfect excuse to take your family to a nice ski resort. But take caution: cybercriminals are busy infiltrating hotel payment systems and covertly scraping credit card information from unsuspecting guests.

Hotel group Hilton is the latest victim in a line of hotels and resorts that have found their systems compromised by point-of-sale malware.

Hilton Worldwide has identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems,” the company admitted in a statement.

The breach exposed card numbers, security codes and names of people who stayed at Hilton between 18 November and 5 December in 2014, and between 21 April and 27 July this year. It affected anyone who used their credit card to buy from a gift shop and pay in coffee shops or restaurants within the Hilton Hotel and franchise properties across the United States.

How did they hack it?

It is still unknown how the attackers got access to the PoS environment. There are a variety of methods to gain access. They may have used brute-force attacks to discover weak administrator credentials. After avoiding detection and gaining access, attackers may have used RAM scraping and keylogging functionalities to collect and exfiltrate data. Especially since the cardholder’s data is not encrypted when processed at a point-of-sale terminal. This is a known flaw in payment security standards.

RAM scraping is an old attack technique that has, in recent years, been repurposed to compromise payment systems,” Bogdan Botezatu, Senior E-threat Analyst at Bitdefender says. “The malware behind it evolved into a complex and far-reaching malware family, now including socially engineered file names, bot and network functionality. It now boasts improved data exfiltration capabilities – it can search for specific strings of data that look like credit card numbers, save them to a text file and silently steal the information in a couple of seconds.”

Why PoS machines are easy targets

Most PoS breaches occur in the US, where the magnetic strip or “swipe-and-sign” system is still widely used. The magnetic stripe of the payment card holds the vast majority of the critical payment data and is broken up into three areas.

Image Source: SANS Institute

Tracks 1 and 2, which are stored in an unencrypted format, are cybercriminals’ main focus. It is this unencrypted track data that thieves attempt to steal when compromising POS devices because it contains the information necessary to create counterfeit cards or make fraudulent online purchases.

The current system requires only the buyer’s signature to authenticate a purchase. Chip-and-PIN cards (used in Europe, for instance) come with an embedded microchip and require the buyer’s PIN, making it harder for cyber-criminals to cash in on credit card fraud. That is why Europeans are a tad safer, for now.

Nonetheless, PoS malware certainly seems to be a growing problem.

News of the hack comes just four days after Starwood Hotels, which operates the Sheraton and Westin chains, announced that hackers had infected payment systems in some of its establishments, potentially leaking customer credit card data.

Other recent victims:

• Las Vegas’s Hard Rock Hotel & Casino
• Las Vegas Sands casino
• Trump Hotels
• FireKeepers Casino and Hotel

And let’s not forget that in 2014, the retail industry was responsible for the largest number of identities exposed. Driven by “America’s fastest-growing crime,” President Obama even signed an Executive Order meant to strengthen security of credit, debit and other type of payment cards.

“While there is no silver bullet to guarantee data security, the President is signing an Executive Order to implement enhanced security measures, including securing credit, debit, and other payment cards with microchips in lieu of basic magnetic strips, and PINs, such as those standard on consumer ATM cards,” the White House said.

How to protect PoS systems

Fortunately, there are several methods to protect PoS terminals.

“A point of sale system is simply a Windows PC with some devices connected to it like a slip printer, a bar code scanner and a cash drawer,” Bogdan Botezatu says. “So, protecting it with an antivirus solution for Windows is a feasible option.”

To mitigate this problem and increase immunity to breaches in 2016, businesses also need to examine their detection capabilities regularly, plus a few other essential tasks:

• Regularly assess risks and vulnerabilities of the system.
• Keep the operating system and any endpoint security programs up to date.
• Secure PoS devices against software and hardware manipulation.
• Patch vulnerabilities as soon as possible.
• Use intrusion detection software to detect abnormal behavior on the network.