Trusteer security researchers found an advertisement on a black market forum for a custom RAT designed to infect hotel front desk computers and steal customer credit card and billing information.
The seller was offering the computer Trojan, together with instructions on how to trick hotel front desk managers into installing it on their computers, for US$280. The seller also claimed that the malware won’t be detected by any antivirus program when it’s delivered to the buyer.
Malware writers often repackage their malicious installers with new algorithms in order to evade signature-based antivirus detection, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor BitDefender.
The repackaged samples can then be delivered via email or instant messaging without being stopped at the network perimeter. However, if an antivirus product with strong heuristic and behavioral detection capabilities is running on the targeted systems, the malware should be blocked at execution time, Botezatu said via e-mail.
The hotel RAT’s seller specified in the ad that the malware doesn’t collect card security numbers, also known as CVV or CID, but this doesn’t necessarily make the rest of the stolen information less useful to cybercriminals.
Some merchants are allowed to charge cards without the CVV details, especially in the U.S., Botezatu said. However, even if that wasn’t the case, the data can still be used to phish the security codes from the card owners themselves or to search for the codes in existing data dumps that resulted from older phishing attacks, he said.
The hotel RAT advertisement included screenshots of a particular PoS application, but its functionality might not be restricted to that specific program.
“The strength of RATs is their generic nature — they can be used to attack many different applications in use by many industries,” said Amit Klein, Trusteer’s chief technology officer. “We’ve seen RATs used against internal applications, banking applications, defense industries, etc.”
Hotels typically have a limited IT staff or knowledge of malware and they handle a large number of credit cards on a daily basis, which makes them a perfect target, said Yaron Dycian, Trusteer’s vice president of products, via email.
The fact that the RAT’s creator decided to target the hospitality industry is consistent with a recently observed change in the focus of cybercriminals — an expansion from online banking attacks to attacks against PoS systems.
“I think the main reason for this shift, or diversification, is the fact that POS machines, and some business machines serve as ‘mini repositories’ where information about many victims can be collected at once,” Klein said via email. “This is in contrast with consumer machines which typically expose one or two accounts.”