Traveling on business, you check into a business-friendly hotel for a few days. You approach the front desk of the hotel, checking in after a long flight. But, the front desk staff is, unfortunately, unable to check you in because the hotel’s electronic key system has been hacked. Someone on the hotel’s staff opened an email from an unknown party, clicked on an unknown link, and malware has infected the electronic key system. So, until ransom is paid, keys cannot be issued. Would you ever stay at that hotel again? Probably not.
Phishing remains a significant problem in the hospitality industry. Attackers have targeted hotel employees with phishing and even spear-phishing email attacks, conning the recipient to open the email and click on a web link, open an attachment with an embedded link, or open an attachment rife with malware. That malware can spread across the hotel’s network, infecting and rendering useless any number of the hotel’s systems. Smart door, electronic key, reservation, cash draw, point-of-sale (POS), and telecommunications systems can be locked, taken offline, or have their data encrypted and held for ransom. If the hacker steals privileged user credentials, then all the hotel’s systems – even guest personal information – can be at risk.
This past January (2017), a resort in the Austrian Alps was attacked by ransomware, initiated by a phishing email. Their electronic door locking, reservation, and cash systems were held for ransom. While guests were not locked in (guests were able to open electronic door locks from the inside of their rooms, a safety precaution) or out of their rooms (electronic door locks need to work even if there is a power outage, so there is an override), new electronic key cards could not be issued to guests checking in. Also, reservations could not be confirmed or canceled because the reservation system was also held hostage. The hotel paid the ransom to re-gain control of their systems.
This attack was to a boutique, four-star hotel. Imagine if a large resort hotel was attacked similarly during a huge convention? The negative guest reaction and bad press would ruin a hotel’s reputation, leading to canceled reservations, decreased occupancy rates, and declining revenue.
Existing email security software might catch some phishing attacks. But, based on their own statistics, it’s unlikely that sophisticated phishing attacks would be uncovered. It takes one successful phishing attack to ruin a hotel’s reputation and endanger future business.
Isolation is the only way to ensure that all email-based phishing attacks – including spear-phishing attacks – are stopped cold. By isolating web access, any email-based phishing attack initiated by a click on a web link won’t be successful. Once an employee clicks on a link in a phishing email or attachment, the returned web page is executed in isolation, proxying the web page and providing the employee a safe, malware-free web page. An isolation platform can even render proxied websites in read-only mode, preventing users from entering sensitive credentials and other information on the returned website.
For information on other phishing attacks, download our Anatomy of a Spear Phishing Attack report: