Cybercriminals have gone on a spree in Brazil’s hospitality industry, infecting the networks of hotels and tourism companies with malware that steals credit card data, according to researchers at Kaspersky.
All told, the hackers have struck hospitality organizations in eight states across Brazil, and 20 hotels in that country and others around the world, Kaspersky said last week.
Active since 2015, the hackers have stepped up their activity this year. They are brazenly selling access to hotel networks they’ve breached to whoever is buying.
Some Brazilian criminals tout the extracted credit card data “as high quality and reliable” because it came from a hotel administration system, the researchers wrote in a blog post.
The breaches often begin with spearphishing emails in fluent Portuguese to hotel employees. Once clicked, the emails open up malware capable of capturing data that flows downstream during the reservation process from popular sites like Booking.com.
The findings underscore Brazil’s longstanding struggles with cybercrime. Online forums in Brazil are teeming with offers of hacking tools and chatter about companies that make easy targets. The country’s cybercriminal gangs are highly organized, made up of cells focusing on software development and money laundering, threat-intelligence company Recorded Future has found.
But the hacking campaigns, which Kaspersky researchers attributed to two different criminal groups they call RevengeHotels and ProCC, have also reached countries from Thailand to Turkey. That global reach is a reminder of the challenges the hospitality industry faces in securing customer payment data that comes from a variety of sources. Criminal groups like FIN7, for example, are adept at homing in on payment card processors used in the industry.
“The use of spear-phishing emails, malicious documents and RAT malware is yielding significant results for at least two groups we have identified in this campaign,” Kaspersky analysts concluded, building on previous research from Palo Alto Networks.