Computer Trojan horse steals credit card details from hotel reception software

A remote access Trojan horse (RAT) that targets hotel point-of-sale software is being advertised on underground forums

A remote access computer Trojan (RAT) designed to steal credit card details from hotel point-of-sale (PoS) applications is being sold on the underground forums, researchers from security firm Trusteer said in a blog post on Wednesday.

Trusteer security researchers found an advertisement on a black market forum for a custom RAT designed to infect hotel front desk computers and steal customer credit card and billing information.

The seller was offering the computer Trojan, together with instructions on how to trick hotel front desk managers into installing it on their computers, for US$280. The seller also claimed that the malware won't be detected by any antivirus program when it's delivered to the buyer.

Malware writers often repackage their malicious installers with new algorithms in order to evade signature-based antivirus detection, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor BitDefender.

The repackaged samples can then be delivered via email or instant messaging without being stopped at the network perimeter. However, if an antivirus product with strong heuristic and behavioral detection capabilities is running on the targeted systems, the malware should be blocked at execution time, Botezatu said via e-mail.

The hotel RAT's seller specified in the ad that the malware doesn't collect card security numbers, also known as CVV or CID, but this doesn't necessarily make the rest of the stolen information less useful to cybercriminals.

Some merchants are allowed to charge cards without the CVV details, especially in the U.S., Botezatu said. However, even if that wasn't the case, the data can still be used to phish the security codes from the card owners themselves or to search for the codes in existing data dumps that resulted from older phishing attacks, he said.

Most remote access computer Trojans have the capability to take screenshots, record keystrokes, download/upload files and execute arbitrary code, which makes them suitable for many types of cybercriminal operations.

The hotel RAT advertisement included screenshots of a particular PoS application, but its functionality might not be restricted to that specific program.

"The strength of RATs is their generic nature -- they can be used to attack many different applications in use by many industries," said Amit Klein, Trusteer's chief technology officer. "We've seen RATs used against internal applications, banking applications, defense industries, etc."

Hotels typically have a limited IT staff or knowledge of malware and they handle a large number of credit cards on a daily basis, which makes them a perfect target, said Yaron Dycian, Trusteer's vice president of products, via email.

The fact that the RAT's creator decided to target the hospitality industry is consistent with a recently observed change in the focus of cybercriminals -- an expansion from online banking attacks to attacks against PoS systems.

"I think the main reason for this shift, or diversification, is the fact that POS machines, and some business machines serve as 'mini repositories' where information about many victims can be collected at once," Klein said via email. "This is in contrast with consumer machines which typically expose one or two accounts."

Join the CSO newsletter!

Error: Please check your email address.

More about BitDefenderetwork

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts