Secret Service Warns Against Keylogging Malware At Hotel Business Centers

Here’s one that should be added to the earlier list of possible hotel scams. The U.S. Secret Service has sent out a warning to hotel operators, asking them to check shared computers in their business centers for malware that can log keystrokes and steal sensitive information from users.

Cybersecurity expert Brian Krebs reports that an industry-only advisory sent out by the Secret Service and Dept. of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) on July 10 states that authorities in Texas recently arrested suspects caught monkeying with business center computers in the Dallas/Fort Worth area.

The suspects would access hotels’ business centers — by using bogus credit cards to book rooms, of course — and then install keylogging malware that “captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts,” according to the NCCIC warning. “The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”

The government’s advice to hotels is well-intentioned, but as Krebs points out, most of it won’t stop this kind of attack.

Limiting users’ access so they can not install or uninstall programs is a good idea in general for shared computers, but much of today’s malware doesn’t need admin-level access.

Likewise, wiping a computer clean after each session will probably get rid of the malware, but Krebs says malware-installing jerks (our words, not his) can often get around this if they are allowed to insert CDs or USB-based Flash drives. Taking away access to discs or USB drives would render many business center computers useless.

“The truth is, if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer,” writes Krebs, who recommends not using public computers for anything other than browsing the web.

Meanwhile, over in the Wall Street Journal, writer Christopher Mims is sharing his Twitter password with the world, making the case that two-factor authentication (in which the user must, in addition to a password, enter a unique passcode sent to their wireless device) is the end of having to worry about having multiple passwords for every possible site and service you log into.

Which is a good thing, as Ars Technica reports that a new study found hackable flaws in multiple popular password-managing programs, meaning someone could breach one of those services and have immediate access to a huge number of passwords.

Read Comments1

Edit Your Comment

  1. furiousd says:

    It’s not just taking away access to CDs or USB ports for flash drives, but disabling any kind of USB accessibility. Projects like this http://hackaday.com/2011/05/04/usb-keyboard-prankster/ could be inserted into the case of a keyboard (plenty of room) and instead of toggling the capslock as a prank, the keystrokes could be recorded onto flash media and once a week a script launched that emails the data to the nefarious recipient. Completely transparent, no software installed. If the party has any level of privacy they’d be able to swap out the keyboard, and honestly what hotel staff would notice or report even if they noticed? Realistically there’s no need for a business center as a majority of businesspeople have their own laptops. If a hotel elects to provide access stations, they should be run as kiosks with no external input. Basically as an internet access portal with print capabilities. To further protect things against program installation/viruses you can run Deep Freeze which wipes the hard drive after every reboot. Or even better, run the kiosk off of a LiveCD so there’s no installation to start with because you won’t need a hard drive.