Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

9/16/2015
11:00 AM
Jason Polancich
Jason Polancich
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

'No-Tell' Motel: Where Hospitality Meets Cybercrime On The Dark Web

In the month of July alone, hundreds of hospitality-related goods and services were offered for sale on the Dark Web including big names like Wyndham, Marriott, Hilton and Starwood.

Plagued by pervasive cyber defense immaturity and a baffling lack of urgency around prioritizing cyber and data security concerns, the hospitality sector -- Orbitz, Expedia, Trivago, Kayak, Hotwire, Hotels.com, Groupon -- among others across both big and small chains, is low-hanging fruit for traditional cybercrimes.

Add to this the threats coming from the near total blind spot, the Dark Web, and you’ve got a recipe for real problems that hit home with hospitality’s most essential element: paying customers.

While this all may sound a little unbelievable to consumers, it’s de rigeur in the Internet’s black market, The Dark Web, traditionally thought of as a busy place for illegal drugs, ill-gotten prescription pharmaceuticals, pornography, and politically subversive activities -- the haven of hacktivists and criminals, drug addicts, and sexual deviants.

For those like myself who study the Dark Web and collect its data, it’s a lot more than this - and it’s evolving quickly. 

Compromised hospitality accounts such as this screenshot recently published on the black market are a true commodity on the Dark Web. 
Image Source: SurfWatch Labs
Compromised hospitality accounts such as this screenshot recently published on the black market are a true commodity on the Dark Web.
Image Source: SurfWatch Labs

In any given week on the Dark Web, you can find all manner of things offered for sale or trade that affect a hospitality company’s cyber strategy, their tactical defenses and much more. More importantly, the things regularly offered for sale have real impact on the bottom line: financials, reputation, customer loyalty, and brand -- things that can lead to millions in real dollars being lost or stolen, erosion of customer confidence, litigation costs, and theft of intellectual property or trade secrets.

How serious are the effects? In August, the Federal Trade Commission won a monumental legal victory over Wyndham Worldwide Corporation, one of the biggest players in hospitality. The upshot of the case means that companies can now be held responsible for poor security practices that lead to a data breach.

Here are a few samples of hospitality-related items that can be found on the Dark Web on any given day:

  • Sensitive customer data and corporate documents
  • Access points inside networks, web, and mobile applications
  • Hijacked loyalty program accounts from unsuspecting customers
  • Fraudulent membership points/balances/voucher codes
  • Hotel network/Wi-fi exploits
  • Software vulnerabilities for common hotel point-of-sale systems
  • Phishing campaigns aimed at major chain customer bases
  • Fraudulent websites designed to lure hotel customers
  • Crimeware instruction in “how to” do fraud
  • All of the above for hire/as-a-service

In the month of July alone, there were hundreds of hospitality-related goods and services for sale. Big names like Wyndham, Marriott, Hilton, Starwood as well as smaller regional, budget, and boutique properties.

Why hospitality is such a big target

To cybercriminals, hotels, motels, casinos, resorts, and their ancillary support businesses are like an eternal spring. There are hundreds of millions of customers staying and paying at any given moment. Hospitality is also one of the largest adopters of technology in the business world. Web and mobile apps abound as does the data they trade in. That means networks and accounts and data are everywhere, from Wifi to point-of-sale. 

All these moving parts means the threats are infinitely long. When you take the volume and variety into account that means functions like cyber defense and fraud prevention are even harder to do effectively (or at all in some cases).

Much like companies in other sectors, hospitality acquires and implements cybersecurity in a mostly traditional way. They look at what others are buying, who they’re hiring and then do the same. Firewalls, IDS/IPS, SIEM and all the traditional “defense-in-depth” approaches are common.

The problem with hospitality, like others in less frenetic industry sectors, is that these defense strategies aren’t effective against a multi-dimensional and constantly evolving threat landscape. In fact, due to hospitality’s unique data and volume issues, as well as its inherent need to stay competitive via customer conveniences and volume-driven cost controls, traditional cyber practices are a kind of Maginot Line of defense: they seem real and big enough, but in reality, they are superficial and easily circumnavigated.

Across the sector, the big and the small companies suffer from myriad challenges:

  • Only the top 1% of sector companies possess adequately mature cybersecurity functions
  • Customers, customers, and more customers
  • Veritable worlds of data in motion and at rest
  • Technology everywhere
  • Very little use of big data analytics
  • Understaffed, overworked and no real budget
  • Prioritization of customer conveniences over security
  • Threat “tunnel vision;” watching the front doors, back doors wide open
  • Little-to-no comprehensive cyber intelligence to inform defense tactics
  • No dynamic mapping of risk profiles to cyber threats
  • Insignificant cybersecurity budgets vs. the size of the threat

It’s a recipe for disaster even without the “out of the blue” threats posed by the Dark Web. And just as with the real Maginot Line in World War II, the Dark Web represents a set of threats that are largely unexpected, with unforeseen tactics coming from all the least expected angles.

Why the Dark Web is such a significant threat

Trending Dark Web cybercrime effects in the hospitality sector, last 90 Days  Image Source: SurfWatch Labs Analytics
Trending Dark Web cybercrime effects in the hospitality sector, last 90 Days
Image Source: SurfWatch Labs Analytics

Most companies traditionally prioritize tactical cyber defenses above all else and ignore any kind of formal intelligence gathering. That’s like spending all your defense budget building a big wall around your fort not knowing your enemy has airplanes or tunneling machines too.

This is particularly true in the case of Dark Web threats. Since most companies don’t gather or use  intelligence even against “traditional” cyber threats like malware and viruses, Dark Web threats like insider access being monetized for further attack and exploit are all but invisible.

Dark Web threats can also be considered “active.” It’s one thing to know about a certain kind of malware on the rise against your industry, but another to know someone’s selling access to customer credit card data being harvested from a point-of-sale terminal inside a specific resort. IT can investigate the possible presence of malware, but it can't immediately act on the point-of-sale issue and fix the hole.

 

Jason Polancich is co-founder, app designer and digital marketing lead for Musubu.io. Polancich is also a linguist, software engineer, data scientist, and intelligence analyst. He originally founded HackSurfer/SurfWatch Labs (Pre-VC), a cyber analytics firm founded in 2013 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.