NEWS

Staff in the hospitality industry are trained to accommodate their guests, and when they have a few years of experience under their belt you can be sure they’ll have received some extraordinary requests.

Which is something that clever cybercriminals are taking advantage of. Researchers at Perception Point recently documented a sophisticated phishing campaign targeting hotels and travel agencies.

The campaign raised alarm because of the clever scheme deployed to trick staff into installing an information stealer. This part of the campaign is made up out of highly targeted attacks.

The first stage of the attack typically sees the attackers send a query about a booking or make a reservation. The bookings will always have low or no cancellation costs so the attackers can minimize their investment.

Once the attackers receive a response, they’ll come up with a persuasive reason for the hotel staff to print or study something ahead of their arrival. Examples include medical records for a child or an important map they would like to print out for their elderly parents.

To add a touch of legitimacy and to evade detection, they even provide the hotel representative with a password to unlock these so-called “important files.”

Image courtesy of Perception Point

In reality, the document contains malware hosted on a file sharing platform, such as Google Drive. The file is encrypted but is decrypted when the victim enters the password. The main executable file often has a misleading icon, such as one that makes it look like a pdf. Once the victim double-clicks on the file, the information stealer (or InfoStealer) is then unleashed.

The second step in this attack targets the customers, and was discovered by Akamai researchers. 

After the InfoStealer is executed on the original target’s (hotel/travel agent’s) systems, the attacker then begins messaging legitimate customers. The message used in this campaign contains a link to what it says is an additional card verification step. In reality, the link triggers an executable on the victim’s machine which gathers information about the browser and presents the recipient with several security validation questions.

Once the victim passes the tests, they are forwarded to a credit card phishing site masquerading as a Booking.com payment page. 

Tips for hospitality organizations

Besides having adequate up-to-date real-time protection on your systems, there are some general tips that can keep you out of trouble.

• Always confirm the identity of anyone requesting sensitive information or access to internal systems.
• Educate your team so they know how to recognize phishing attempts and where to report potential threats.
• Invest in an email security solution which makes it harder for phishing emails and unknown malware to reach the intended target.
• Never click on unsolicited links. 
• Be cautious of messages that create a sense of urgency or threaten negative consequences if you don’t take immediate action.

Tips for consumers

These phishing schemes are exceptionally well thought out and tailored so victims are more likely to click. Still, there are some red flags that can help you prevent falling victim.

• Double check unexpected communications which ask for additional payments or payment details. There is no harm in asking for clarification or confirmation.
• Inspect links before you click on them to see whether they lead to where you expect.
• Do not send information that the booked accommodation should already have or shouldn’t need at all.
• Be suspicious of urgent or threatening messages asking for immediate action.

Identity theft victims

If you suspect you are a victim of credit card identity theft, the FTC recommends you contact your bank or credit card company to cancel your card and request a new one. If you get a new card, don’t forget to update any automatic payments with your new card number.

To find out if you are a victim:

• Review your transactions regularly to make sure no one has misused your card, and consider credit monitoring.
• If you find fraudulent charges, call your bank’s fraud department to alert them.
• Check your own credit report at annualcreditreport.com.
• Consider freezing your credit report. This stops new creditors and potential thieves from accessing your credit report.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Canadian healthcare organization Better Outcomes Registry & Network (BORN) has disclosed a data breach affecting client data.

BORN—an Ontario perinatal and child registry that collects, interprets, shares, and protects critical data about pregnancy, birth, and childhood—says it was attacked on May 31, 2023.

A subsequent investigation has shown that during the breach, unauthorized copies of files containing personal health information were taken from BORN’s systems. The personal health information that was copied was collected from a large network of mostly Ontario health care facilities and providers regarding fertility, pregnancy, newborn and child health care offered between January 2010 and May 2023.

BORN says that the data breach happened as a result of a vulnerability in some software it uses for file transfers, Progress MOVEit. This vulnerability was exploited by a ransomware gang known as Cl0p, before Progress was even aware a vulnerability existed.

Sadly, it’s not just BORN that has had children’s data stolen as a result of that vulnerability. The National Student Clearinghouse (NSC) has also reported that nearly 900 colleges and schools across the US also fell victim to the Cl0p ransomware gang, as a result of using MOVEit to transfer files.

As we have mentioned before, identity theft is a serious problem, especially when it affects children. Identity thieves love preying on minors, simply because it usually takes longer before the theft is noticed.

Countermeasures

BORN states that there are no additional steps you need to take. Its incident summary says:

“At this time, there is no evidence that any of the copied data has been misused for any fraudulent purposes. We continue to monitor the internet, including the dark web, for any activity related to this incident and have found no sign of BORN’s data being posted or offered for sale.”

However, you have every right to become anxious that your child might start receiving credit offers in the mail or unexpected activity on their email, phone or bank accounts.

So, if you become aware of anything suspicious, or even just for peace of mind, you can request a security freeze for your child at each of the three national credit bureaus (Experian, TransUnion and Equifax).

When you request a security freeze, the bureau creates a credit report for your child and then locks it down, so that any lender who attempts to process an application that uses your child’s credentials will be denied access to their credit history. This prevents any loans or credit cards being issued in the child’s name. When the child becomes an adult you’ll have to lift the freeze by contacting each credit bureau individually.

Read our tips on how to protect your identity, or, if you believe you are already the victim of on identity crime, contact the Identity Theft Resource Center. You can speak to an advisor toll-free by phone (888.400.5530) or live-chat on the company website idtheftcenter.org.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Digital transformation may be revolutionizing businesses and the way we operate, but it also presents notable challenge: How can organizations stay secure amidst the ceaseless tide of change? Our latest Byte Into Security webinar has the answers.

Meet the Experts

• Marcin Kleczynski, CEO of Malwarebytes, teams up with
• Chris Brock, Drummond’s Chief Information Officer. Chris shares how his 15-person IT team balanced dramatic organizational changes with maintaining a robust security posture.

On-the-Ground Insights

In the webinar, Chris details:

• The specific challenges digital transformation posed to his IT team and the broader organization.
• How Drummond prioritized resources for maximum efficiency and impact.
• The role of Managed Detection and Response (MDR) in fortifying security, while saving IT time, resources, and budget.

What to Expect

• Forward-thinking security strategy: Learn about tools and tactics that transition businesses from reactive security measures to proactive protection amidst digital shifts.
• Tailored training: Security awareness training best practices for businesses of all sizes.
• Leveraging MDR: Real examples showcasing how MDR was instrumental in Drummond’s digital evolution, helping to close security holes across multiple categories.
• True IT downtime: How IT professionals can take well deserved vacations without interruption.

If you’re seeking to understand how digital transformation, security, worker productivity and business growth evolve in tandem, this webinar is your roadmap.

Watch on-demand now

Newcomer ransomware group RansomedVC claims to have successfully compromised the computer systems of entertainment giant Sony. As ransomware gangs do, it made the announcement on its dark web website, where it sells data that it’s stolen from victims’ computer networks.

The announcement says Sony’s data is for sale:

Sony Group Corporation, formerly Tokyo Telecommunications Engineering Corporation, and Sony Corporation, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan

We have successfully compromissed [sic] all of sony systems. We wont ransom them! we will sell the data. due to sony not wanting to pay. DATA IS FOR SALE

Sony has yet to comment on the matter, and it’s important to understand that we only have one side of the story—and the side we have comes from a group of criminals. The claims of Sony’s compromise may yet prove false or, perhaps more likely, exaggerated.

If RansomedVC is to be believed though, Sony has not caved into the group’s demands for a ransom, so good for Sony, bravo. Sometimes businesses feel they have to pay their extortionists, and we aren’t going to judge anyone for making that choice. However, we’re definitely happy to applaud loudly when they don’t pay.

If Sony has been breached then its customers will be understandably concerned to safeguard their data. With information so thin on the ground it’s too early to offer specific advice, but we suggest you read our guide to what you need to know if you’re involved in a data breach.

Should it confirm the breach, Sony will join a fairly lengthy list of games and entertainment companies that have had data stolen or ransomed. Games companies are prime targets for theft and extortion because of the high value and high profile of their intellectual property.

Notable victims have included Capcom and Ubisoft in 2020, and CD PROJEKT RED, makers of Cyberpunk 2077 and Witcher 3, in 2021, the same year that FIFA 21 source code stolen from Electronic Arts. In 2022 Bandai Namco was attacked by ransomware, and Rockstar Games suffered a serious breach at the hands of the short-lived Lapsus$ gang.

RansomedVC is a new ransomware group, first tracked by Malwarebytes in August 2023 after it published the details of nine victims on its dark web site. The only departure it makes from the usual cut ‘n’ paste criminality of ransomware groups is that it threatens to report victims for General Data Protection Regulation (GDPR) violations. It describes itself as a “digital tax for peace”, but of course it isn’t. We’ve heard this a million times before, and it’s always just a cash grab.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

This week on the Lock and Code podcast…

When you think of the modern tools that most invade your privacy, what do you picture?

There’s the obvious answers, like social media platforms including Facebook and Instagram. There’s email and “everything” platforms like Google that can track your locations, your contacts, and, of course, your search history. There’s even the modern web itself, rife with third-party cookies that track your browsing activity across websites so your information can be bundled together into an ad-friendly profile. 

But here’s a surprise answer with just as much validity: Cars. 

A team of researchers at Mozilla which has reviewed the privacy and data collection policies of various product categories for several years now, named “Privacy Not Included,” recently turned their attention to modern-day vehicles, and what they found shocked them. Cars are, to put it shortly, a privacy nightmare. 

According to the team’s research, Nissan says it can collect “sexual activity” information about consumers. Kia says it can collect information about a consumer’s “sex life.” Subaru passengers allegedly consent to the collection of their data by simply being in the vehicle. Volkswagen says it collects data like a person’s age and gender and whether they’re using your seatbelt, and it can use that information for targeted marketing purposes. 

But those are just some of the highlights from the Privacy Not Included team. Explains Zoë MacDonald, content creator for the research team: