Hyatt Hotels Corporation is warning customers that hackers gained access to payment card information at 41 hotels managed by the company in 11 countries. This is the second credit card breach suffered by the company in the past two years.
The new incident impacted cards used at the front desks of affected properties between March 18 and July 2 and was the result of malicious software being introduced “from a third party” into the hotels’ IT systems.
The company has published a list of affected hotels on its website. The hotels are located in Brazil, China, Colombia, Guam, India, Indonesia, Japan, Malaysia, Mexico, Puerto Rico, Saudi Arabia, South Korea and the United States. The country with the largest number of affected hotels is China with 18, while the U.S. has only three, all of them in Hawaii.
It’s not clear how the attackers managed to introduce the malware into these hotels’ systems and why other Hyatt properties weren’t affected. A previous data breach announced by Hyatt in late 2015 impacted cards used at 250 properties from 50 countries.
“I want to assure you that there is no indication that information beyond that gained from payment cards – cardholder name, card number, expiration date and internal verification code – was involved, and as a result of implemented measures designed to prevent this from happening in the future, guests can feel confident using payment cards at Hyatt hotels worldwide,” Chuck Floyd, global president of operations at Hyatt, said in a statement.
Point-of-sale memory-scraping malware continues to be one of the primary methods used by hackers to steal payment card data from hotels, restaurants, retailers and other merchants. However, there are also more advanced threats that can compromise whole networks and back-end systems.
Researchers from Morphisec recently documented new attacks from a sophisticated attack group known as FIN7 that uses fileless malware and other advanced technique designed to bypass traditional detection. Earlier this year the group attacked restaurants from the U.S.
“We continue to see threat actors specifically targeting hotels and accessible retail outlets where credit card transactions are both routine and frequent,” said Christian Lees, chief information security officer at InfoArmor. “PII and credit card data continue to be solicited and monetized in underground communities as a simple and viable way to fund further nefarious activity. As long as there is a market demand for this data, there will be those who will work to obtain it and profit from that activity.”
Android Ransomware Changes Device Lock PINs
A new ransomware threat for Android devices known as DoubleLocker not only encrypts user data on devices but also changes the device PIN to lock users out.
According to researchers from ESET, DoubleLocker is based on a banking trojan that abuses the Android accessibility service functionality. It is distributed from compromised websites as a fake Flash Player application and once installed it requests activation as an accessibility service. If this is granted, the malware sets itself as an administrator and as a Home application — a launcher.
The malware then locks the phone when the user hits the home button and changes the PIN to a random value that is not stored anywhere and is not sent to the attackers. However, the attackers do have the ability to remotely change the PIN to a known value after payment.
DoubleLocker also encrypts the files in the phone’s storage using strong uncrackable encryption. The victims are warned that they need to pay 0.0130 BTC (around $55) within 24 hours, but the files are not deleted after this period. The only way to rid the device of the DoubleLocker ransomware is to reset the device to its factory settings.
“Given its banking malware roots, DoubleLocker may well be turned into what could be called ransom-bankers,” said Lukáš Štefanko, a malware researcher at ESET. “Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom. Speculation aside, we spotted a test version of such a ransom-banker in the wild as long ago as May 2017.”
After Equifax, TransUnion Website Also Directs Users to Malicious Applications
Equifax took one of its consumer websites down yesterday after reports that it was serving adware to users. Researchers from Malwarebytes have now found that a website operated by another credit monitoring agency, TransUnion, was also directing users to malicious applications.
It seems the TransUnion-operated website, which served users in Central America, was using the same third-party web analytics script that redirected users of the Equifax website to adware. Researchers suspect that one of the domains the script was loading resources from has been compromised.
This is a classic malvertizing attack where a legitimate, trusted service provider is compromised and the infection then makes it to customers’ websites. This usually happens through advertising networks, but as shown in these cases, it can also happen through web analytics providers and other third-party scripts.