NEWS

Staff in the hospitality industry are trained to accommodate their guests, and when they have a few years of experience under their belt you can be sure they’ll have received some extraordinary requests.

Which is something that clever cybercriminals are taking advantage of. Researchers at Perception Point recently documented a sophisticated phishing campaign targeting hotels and travel agencies.

The campaign raised alarm because of the clever scheme deployed to trick staff into installing an information stealer. This part of the campaign is made up out of highly targeted attacks.

The first stage of the attack typically sees the attackers send a query about a booking or make a reservation. The bookings will always have low or no cancellation costs so the attackers can minimize their investment.

Once the attackers receive a response, they’ll come up with a persuasive reason for the hotel staff to print or study something ahead of their arrival. Examples include medical records for a child or an important map they would like to print out for their elderly parents.

To add a touch of legitimacy and to evade detection, they even provide the hotel representative with a password to unlock these so-called “important files.”

Image courtesy of Perception Point

In reality, the document contains malware hosted on a file sharing platform, such as Google Drive. The file is encrypted but is decrypted when the victim enters the password. The main executable file often has a misleading icon, such as one that makes it look like a pdf. Once the victim double-clicks on the file, the information stealer (or InfoStealer) is then unleashed.

The second step in this attack targets the customers, and was discovered by Akamai researchers. 

After the InfoStealer is executed on the original target’s (hotel/travel agent’s) systems, the attacker then begins messaging legitimate customers. The message used in this campaign contains a link to what it says is an additional card verification step. In reality, the link triggers an executable on the victim’s machine which gathers information about the browser and presents the recipient with several security validation questions.

Once the victim passes the tests, they are forwarded to a credit card phishing site masquerading as a Booking.com payment page. 

Tips for hospitality organizations

Besides having adequate up-to-date real-time protection on your systems, there are some general tips that can keep you out of trouble.

• Always confirm the identity of anyone requesting sensitive information or access to internal systems.
• Educate your team so they know how to recognize phishing attempts and where to report potential threats.
• Invest in an email security solution which makes it harder for phishing emails and unknown malware to reach the intended target.
• Never click on unsolicited links. 
• Be cautious of messages that create a sense of urgency or threaten negative consequences if you don’t take immediate action.

Tips for consumers

These phishing schemes are exceptionally well thought out and tailored so victims are more likely to click. Still, there are some red flags that can help you prevent falling victim.

• Double check unexpected communications which ask for additional payments or payment details. There is no harm in asking for clarification or confirmation.
• Inspect links before you click on them to see whether they lead to where you expect.
• Do not send information that the booked accommodation should already have or shouldn’t need at all.
• Be suspicious of urgent or threatening messages asking for immediate action.

Identity theft victims

If you suspect you are a victim of credit card identity theft, the FTC recommends you contact your bank or credit card company to cancel your card and request a new one. If you get a new card, don’t forget to update any automatic payments with your new card number.

To find out if you are a victim:

• Review your transactions regularly to make sure no one has misused your card, and consider credit monitoring.
• If you find fraudulent charges, call your bank’s fraud department to alert them.
• Check your own credit report at annualcreditreport.com.
• Consider freezing your credit report. This stops new creditors and potential thieves from accessing your credit report.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Canadian healthcare organization Better Outcomes Registry & Network (BORN) has disclosed a data breach affecting client data.

BORN—an Ontario perinatal and child registry that collects, interprets, shares, and protects critical data about pregnancy, birth, and childhood—says it was attacked on May 31, 2023.

A subsequent investigation has shown that during the breach, unauthorized copies of files containing personal health information were taken from BORN’s systems. The personal health information that was copied was collected from a large network of mostly Ontario health care facilities and providers regarding fertility, pregnancy, newborn and child health care offered between January 2010 and May 2023.

BORN says that the data breach happened as a result of a vulnerability in some software it uses for file transfers, Progress MOVEit. This vulnerability was exploited by a ransomware gang known as Cl0p, before Progress was even aware a vulnerability existed.

Sadly, it’s not just BORN that has had children’s data stolen as a result of that vulnerability. The National Student Clearinghouse (NSC) has also reported that nearly 900 colleges and schools across the US also fell victim to the Cl0p ransomware gang, as a result of using MOVEit to transfer files.

As we have mentioned before, identity theft is a serious problem, especially when it affects children. Identity thieves love preying on minors, simply because it usually takes longer before the theft is noticed.

Countermeasures

BORN states that there are no additional steps you need to take. Its incident summary says:

“At this time, there is no evidence that any of the copied data has been misused for any fraudulent purposes. We continue to monitor the internet, including the dark web, for any activity related to this incident and have found no sign of BORN’s data being posted or offered for sale.”

However, you have every right to become anxious that your child might start receiving credit offers in the mail or unexpected activity on their email, phone or bank accounts.

So, if you become aware of anything suspicious, or even just for peace of mind, you can request a security freeze for your child at each of the three national credit bureaus (Experian, TransUnion and Equifax).

When you request a security freeze, the bureau creates a credit report for your child and then locks it down, so that any lender who attempts to process an application that uses your child’s credentials will be denied access to their credit history. This prevents any loans or credit cards being issued in the child’s name. When the child becomes an adult you’ll have to lift the freeze by contacting each credit bureau individually.

Read our tips on how to protect your identity, or, if you believe you are already the victim of on identity crime, contact the Identity Theft Resource Center. You can speak to an advisor toll-free by phone (888.400.5530) or live-chat on the company website idtheftcenter.org.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Digital transformation may be revolutionizing businesses and the way we operate, but it also presents notable challenge: How can organizations stay secure amidst the ceaseless tide of change? Our latest Byte Into Security webinar has the answers.

Meet the Experts

• Marcin Kleczynski, CEO of Malwarebytes, teams up with
• Chris Brock, Drummond’s Chief Information Officer. Chris shares how his 15-person IT team balanced dramatic organizational changes with maintaining a robust security posture.

On-the-Ground Insights

In the webinar, Chris details:

• The specific challenges digital transformation posed to his IT team and the broader organization.
• How Drummond prioritized resources for maximum efficiency and impact.
• The role of Managed Detection and Response (MDR) in fortifying security, while saving IT time, resources, and budget.

What to Expect

• Forward-thinking security strategy: Learn about tools and tactics that transition businesses from reactive security measures to proactive protection amidst digital shifts.
• Tailored training: Security awareness training best practices for businesses of all sizes.
• Leveraging MDR: Real examples showcasing how MDR was instrumental in Drummond’s digital evolution, helping to close security holes across multiple categories.
• True IT downtime: How IT professionals can take well deserved vacations without interruption.

If you’re seeking to understand how digital transformation, security, worker productivity and business growth evolve in tandem, this webinar is your roadmap.

Watch on-demand now

Sites and apps frequently gamify their products and experiences to grow their user base. It’s a relatively easy way to have their customers become more involved thanks to whatever incentives may be on offer. A game here, a rewards program there, and everyone is happy.

Well, almost everyone. If scammers insert themselves into the process then it may not all be plain sailing. Unfortunately, Bleeping Computer is reporting a wave of dubious Temu referral scams pretending to offer up salacious leaks of private celebrity photos.

These scams are being posted to video platform TikTok, where high visibility and the desire for good deals runs the risk of making these fake ads go viral.

Temu, in operation since 2022, is known for offering a wide selection of goods at cheap prices. The site makes use of a rewards system, where users can generate referral numbers and send them to friends and family. The referral links are frequently shared in places like Facebook groups, which offer a combination of discounts. Mobile games tied to the referral process can often increase the discounts still further. This feedback loop of gaming and rewards is quite the successful combination in most instances.

So far, so good. Where this goes horribly wrong is a nasty wave of spam cluttering TikTok with the promise of fake celebrity nudes taking up space on the social network. Using the tagline “If you search it up, be prepared” along with common hashtags like “#anime, #manga, #art”, a variety of photos of celebrities are overlaid with text saying things like “I thought she was innocent”. It’s all very sleazy, tricking the viewer to install the Temu app and enter the referral number to see the supposedly leaked images.

But these images don’t exist, it’s just the main bait for the scam. As we’ve seen in the past, leaked photographs and celebrity deepfakes are a potent mix and guaranteed to drive clicks, traffic, or installations. Bleeping Computer cites Jenna Ortega, Brooke Monk, Hailie Deegan, and Olivia Rodrigo as just some of the celebrities used for this scam campaign.

The only good thing we can really say here is that the links don’t lead to phishing or malware. So far, it’s “just” scammers racking up store credit. However this is still a big problem for many reasons, not least of which for Temu which is faced with the possibility of people gaming its system.

Bogus celebrity nude promos posted to TikTok aren’t good for the platform or the users, and both services will have to try and take these fraudsters to task. Meanwhile, users can also do their bit and report any such videos they spot on their feeds. Nobody is posting genuinely leaked imagery to TikTok, and most definitely not for the purposes of store credit.

The promise of fake stolen imagery is one of the oldest tactics in the book, and yet remains a very effective resource in the scammer’s toolkit. Whether you hear about such a thing by email or social media, our advice is to steer clear. Apart from it being incredibly distasteful and quite possibly illegal depending on where you reside, you run a major risk of falling victim to a more serious form of scam.

Is a quick clickthrough for store credit or some other reward really worth putting your system at risk? We’d suggest that the answer is most definitely a resounding no.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Newcomer ransomware group RansomedVC claims to have successfully compromised the computer systems of entertainment giant Sony. As ransomware gangs do, it made the announcement on its dark web website, where it sells data that it’s stolen from victims’ computer networks.

The announcement says Sony’s data is for sale:

Sony Group Corporation, formerly Tokyo Telecommunications Engineering Corporation, and Sony Corporation, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan

We have successfully compromissed [sic] all of sony systems. We wont ransom them! we will sell the data. due to sony not wanting to pay. DATA IS FOR SALE

Sony has yet to comment on the matter, and it’s important to understand that we only have one side of the story—and the side we have comes from a group of criminals. The claims of Sony’s compromise may yet prove false or, perhaps more likely, exaggerated.

If RansomedVC is to be believed though, Sony has not caved into the group’s demands for a ransom, so good for Sony, bravo. Sometimes businesses feel they have to pay their extortionists, and we aren’t going to judge anyone for making that choice. However, we’re definitely happy to applaud loudly when they don’t pay.

If Sony has been breached then its customers will be understandably concerned to safeguard their data. With information so thin on the ground it’s too early to offer specific advice, but we suggest you read our guide to what you need to know if you’re involved in a data breach.

Should it confirm the breach, Sony will join a fairly lengthy list of games and entertainment companies that have had data stolen or ransomed. Games companies are prime targets for theft and extortion because of the high value and high profile of their intellectual property.

Notable victims have included Capcom and Ubisoft in 2020, and CD PROJEKT RED, makers of Cyberpunk 2077 and Witcher 3, in 2021, the same year that FIFA 21 source code stolen from Electronic Arts. In 2022 Bandai Namco was attacked by ransomware, and Rockstar Games suffered a serious breach at the hands of the short-lived Lapsus$ gang.

RansomedVC is a new ransomware group, first tracked by Malwarebytes in August 2023 after it published the details of nine victims on its dark web site. The only departure it makes from the usual cut ‘n’ paste criminality of ransomware groups is that it threatens to report victims for General Data Protection Regulation (GDPR) violations. It describes itself as a “digital tax for peace”, but of course it isn’t. We’ve heard this a million times before, and it’s always just a cash grab.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW