Darkhotel spies target executives’ data over hotel Wi-Fi

11 Nov 2014

Darkhotel waits for business executives to log onto hotel Wi-Fi networks before launching malware attacks to steal data, but the hacker group can be outsmarted, Kaspersky Labs suggests.

Kaspersky Labs’ Global Research and Analysis Team probed the workings of Darkhotel and discovered it has been lurking in the shadows for at least four years, stealing sensitive data via Wi-Fi from corporate executives who check into luxury hotels.

“The crew never goes after the same target twice; they perform operations with surgical precision, getting all the valuable data they can from the first contact, deleting traces of their work and melting into the background to await the next high-profile individual,” Kaspersky Labs said.

The most recent targets, according to Kaspersky Labs, include top executives from the US and Asia doing business and investing in the APAC region: CEOs, senior vice-presidents, sales and marketing directors and top R&D staff.

How to outsmart Darkhotel

Any network should be viewed as potentially dangerous and to avoid becoming a victim of Darkhotel, Kaspersky Labs offers the following tips:

  • Choose a Virtual Private Network (VPN) provider – you will get an encrypted communication channel when accessing public or semi-public Wi-Fi.
  • When travelling, always regard software updates as suspicious. Confirm the proposed update installer is signed by the appropriate vendor.
  • Make sure your internet security solution includes proactive defence against new threats rather than just basic antivirus protection.

How Darkhotel attacks work

Darkhotel waits until the victim connects to the hotel Wi-Fi network, and submits his or her surname and room number upon login.

The attackers see the victim in the compromised network and trick him or her into downloading and installing a backdoor that pretends to be an update for legitimate software, such as Google Toolbar, Adobe Flash or Windows Messenger.

Once on a system, the backdoor has been and may be used to download more advanced stealing tools, such as a digitally signed advanced keylogger, and an information-stealing module.

“These tools collect data about the system and the anti-malware software installed on it, steal all keystrokes, and hunt for cached passwords in Firefox, Chrome and Internet Explorer; Gmail Notifier, Twitter, Facebook, Yahoo! and Google login credentials; and other private information,” Kaspersky Labs said.  

“Victims lose sensitive information – likely the intellectual property of the business entities they represent. After the operation, the attackers carefully delete their tools from the hotel network and go back into hiding.”

Watch Darkhotel Espionage Campaign – Kaspersky Lab Video here:

Business traveller image via Shutterstock

Tina Costanza was a journalist and sub-editor at Silicon Republic