It shouldn’t come as a surprise that computers at hotel business centers and club lounges could be infested with keyloggers and other malware.
Week ago, Secret Service and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center issued a non-public advisory distributed to hospitality companies, as there had been arrests in the Texas area.
There is a good write up about this on Krebs on Security that you can access here.
According to that article and the advisory:
“In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software,” the advisory reads.
“The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts,” the warning continues. “The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”
The advisory lists several basic recommendations for hotels to help secure public computers, such as limiting guest accounts to non-administrator accounts that do not have the ability to install or uninstall programs. This is a good all-purpose recommendation, but it won’t foil today’s keyloggers and malware — much of which will happily install on a regular user account just as easily as on an administrative one.
The only time I might use a business center or lounge computer is when I need to print out some documents. Just have to remember to save the files to an USB stick rather than emailing the files to some cloud based email account.
Guests staying at hotels should be concerned even when logging to the airlines website to check into their flights and printing boarding passes.
True hackers wouldn’t bother with a small scale stealing of passwords and user accounts such as this, when they can hack into systems used by the companies such as eBay and J.C. Penney and get millions at a time.