THE UNITED STATES Secret Service has told the hospitality industry to check their business centre PCs for keystroke logging malware.
The Secret Service sent this warning to companies in the lodging industry, but has not publicly disclosed it. Brian Krebs of Krebs on Security has seen the missive and he said it suggests that PCs might have been penetrated by thieves with their eyes on personal and financial data.
Krebs quotes from the letter, relating that the Secret Service and the US Department of Homeland Security National Cybersecurity and Communications Integration Center (NCCIC) have already arrested people suspected of malware insertion. The statement said that "large" amounts of information have already been swiped.
"In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software," said the letter.
"The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors' email accounts... The suspects were able to obtain large amounts of information including other guests personally identifiable information, log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center's computers."
While the advisory is aimed at the hospitality firms, Krebs has advice for end users, and he said that road warriors should consider using temporary email accounts while moving from place to place.
"The truth is, if a skilled attacker has physical access to a system, it's more or less game over for the security of that computer. The next hotel business center you visit may be completely locked down and secure, or it could be wide open and totally overrun with malware," he added.
"The trouble is that there is no easy way for the average guest to know for sure." µ