Friday, May 9, 2025
HomeMalwareHackers Attack Hotel & Travel Organizations to Steal Sensitive Data

Hackers Attack Hotel & Travel Organizations to Steal Sensitive Data

Published on

SIEM as a Service

Follow Us on Google News

Hackers classified as TA558 have been increasing their activities since the beginning of this year. There has been an increase in the number of phishing campaigns run by the TA558 group and targeting a range of hotels and travel companies.

Threat actors make use of an assortment of 15 distinct malware families, mostly RATs, which are intended to do the following:- 

  • Gain access to the target systems
  • Conduct surveillance on a regular basis
  • Theft of key data
  • Scamming customers out of their money

Proofpoint has recently seen an increase in the number of attacks associated with TA558 which has been active since at least 2018. It is likely that tourism has recovered after the COVID-19 restrictions were imposed for two years.

- Advertisement - Google News

Campaigns Targeting Hotel & Travel Organizations

TA558 began using RAR and ISO file attachments in its phishing emails in the year 2022, instead of macro-laced documents in the messages. TA558 also embedded URLs in the messages in place of attachments.

Microsoft’s decision to block VBA and XL4 macros in Office has prompted similar changes to be seen with other threat actors as well. It has traditionally been used by hackers for the following purposes:-

  • Loading malware
  • Dropping malware
  • Installing malware

There are three languages, English, Spanish, and Portuguese, used in phishing emails that start the infection chain. 

The majority of their targets are located in the following countries:- 

  • North America
  • Western Europe
  • Latin America

In the emails, the main topic is to make a reservation at the organization that is targeted. Emails of this type are sent under the pretense of coming from reputable sources like conference organizers and tourist office agents which are hard for the recipients to disregard.

An ISO file will be received from a remote resource if the victim clicks on the URL in the message body. The URL in the message claims to be the reservation link and is supposedly attached to the message.

There is a batch file inside the archive that pitches a PowerShell script when it’s executed. A scheduled task is created by the script to keep the RAT payload on the victim’s computer as long as the script is running.

It involved downloading a follow-on payload, AsyncRAT, in the server for execution from a PowerShell script after executing the BAT file.

This year in most cases, the threat actors have used the following payload:-

  • AsyncRAT or Loda

While on a small scale, the threat actors have used the following payloads:-

  • Revenge RAT
  • XtremeRAT
  • CaptureTela
  • BluStealer

In most of the cases Proofpoint observed this year, the payload was AsyncRAT or Loda, while Revenge RAT, XtremeRAT, CaptureTela, and BluStealer were also deployed on a smaller scale.

Instead of using room reservations as a lure for a 2022 campaign, one campaign used QuickBooks invoices. The RAT malware compromises the hotel’s systems, so TA558 enters the network deeper and steals sensitive information like:-

  • Customer PII
  • Stored credit card details
  • Stored debit card details
  • Divert reservation payments

A hack of the Booking.com account of The Marino Boutique Hotel in Lisbon, Portugal, was detected in July 2022. It took the hacker only four days to steal a hefty €500,000 through the hacked account of the hotel.

Also Read: The Rise of Remote Workers: A Checklist for Securing Your Network – Free E-Book Download

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known...

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows...

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information

The Google Threat Intelligence Group (GTIG) has uncovered a sophisticated new malware dubbed LOSTKEYS,...

Lampion Banking Malware Uses ClickFix Lures to Steal Banking Credentials

Unit 42 researchers at Palo Alto Networks, a highly targeted malicious campaign orchestrated by...

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...