The hospitality industry continues to be targeted by cyber attackers, with a new phishing campaign spreading info-stealing malware. This campaign, discovered by researchers at Cofense Intelligence, utilizes social engineering tactics similar to the ones that recently crippled the MGM Grand and Caesars. The attackers are using reconnaissance emails and instant messages to bait employees at luxury resorts and hotel chains into responding. Once a response is received, the threat actors follow up with phishing messages that utilize methods known to disrupt email security analysis and secure email gateways.
The campaign has demonstrated a high level of sophistication and careful planning by the threat actors. The success rate of these emails reaching their intended targets is alarming, with a significant increase observed over the past two months. In fact, 85% of the phishing emails in the campaign were sent in the last 60 days, with September showing a higher incidence than August.
To boost the legitimacy of their emails, the threat actors make initial contact using what they believe is a company email address. They send messages that appear as reservation requests or changes, targeting specific email accounts. These initial emails do not contain malicious content but are used to verify if the target email account is active. If the recipient takes the bait, a follow-up phishing email arrives on the same day, utilizing a similar lure to the reconnaissance email.
The phishing emails include an infection URL hosted on a trusted cloud domain, such as Google Drive or Dropbox. The victim is then directed to download a password-protected archive containing malicious files. The use of cloud services and password-protected archives is a common tactic of threat actors to bypass security measures. In addition, the threat actors employ large file sizes to deliver malicious executables, disrupting analysis by most sandboxes and analysis tools.
The ultimate goal of the campaign is to steal employees’ login information for various applications used on corporate systems. The threat actors also have the ability to deliver secondary payloads. The stealers deployed by the campaign belong to five known malware families: RedLine Stealer, Vidar Stealer, Stealc, Lumma Stealer, and Spidey Bot. Recently, the threat actors behind RedLine and Vidar were seen pivoting to ransomware attacks using similar tactics. However, Cofense did not provide specific details on any known successful attacks.
The success of this phishing campaign is attributed not only to the volume of messages sent but also to the fact that the targets are likely not tech-savvy individuals. The campaign primarily targets employees specialized in areas relevant to their job within the hospitality industry. Therefore, the most practical defense for these targets is to educate employees on phishing concepts and inform them about malicious campaigns like the one discovered by Cofense.
In addition to employee education, organizations can implement technical measures to mitigate the risk. Blocking downloads from sites being abused by the campaign, such as Google Drive or DiscordApp, if the company does not conduct legitimate business on those sites, can be an effective step.
As the hospitality industry continues to face cyber threats, it is crucial for organizations to remain vigilant and implement proper security measures to protect their systems and data. Regular training and awareness programs for employees, coupled with strong technical defenses, can help mitigate the risk of falling victim to these sophisticated phishing campaigns.