NEW YORK (MainStreet) - The name alone ought to cause a shiver in your backbone: Darkhotel. That’s an attack that, according to recent reports from Kaspersky Labs, first surfaced in 2010 and is still around, still compromising the computers of traveling executives.
Here's what's worse: the attackers appear to know exactly whom they are targeting. This is pinpointed assault that seems to involve insider information from particular hotels, regarding both the hotel WiFi network and who is on the guest list.
Ian Pratt, a co-founder of security firm Bromium told MainStreet how Darkhotel works: when a targeted executive seeks to go online, the initial stopping place is the hotel’s Internet log-in page. That is where the mayhem happens, usually in the form of malware masquerading as a seemingly harmless software update for, say, Java or Internet Explorer. Most of us have been trained by security to accept such updates, because usually they are security patches. In this case, it is the exact opposite. It’s a toxic download that will let the hacker spy on the machine.
Worse, a stop on that log-in page is a near necessity especially for executives traveling abroad. T.K. Keanini, CTO at Alpharetta, Ga. security firm Lancope, explained that although in the U.S. many executives bring their own hotspots (generally more secure than public WiFi) that let them bypass hotel WiFi, in Europe and Asia data rates can be prohibitively expensive. Even C-suiters may tune in via a hotel WiFi.
Executives in larger companies almost always use VPN - virtual private network, a more secure way to access the Internet - but to get into VPN, a session will start with a log-in to the hotel WiFi. That happens in the clear, without VPN insulation. That brief stop on the log-in page is plenty to compromise a computer.
As far back as 2012, the FBI issued this warning: “Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.”
That FBI warning was issued two years ago, but the Darkhotel plague persists, claiming more victims.
Although Darkhotel is more prevalent abroad -- especially in in Japan, Taiwan, China, Russia and South Korea, where about 90% of infections have occurred per Kaspersky -- there have been cases in the U.S..
Kaspersky reported that - unlike many public WiFi attacks - Darkhotel is highly selective. When its researchers checked into hotels known to have been sites of Darkhotel contamination, they were not attacked. That, said Kaspersky in a blog post, “suggests the APT [Advanced Persistent Threat] acts selectively. Further work demonstrated just how careful these attackers were to hide their activity - as soon as a target was effectively infected, they deleted their tools from the hotel network staging point, maintaining a hidden status.”
Bottomline: this is an elite spying crew and that means it is a very formidable enemy.
Keanini suggested that - very probably - hotel employees or employees of vendors are in on the hack. It is entirely possible that the hackers independently found and exploited vulnerabilities in the hotels’ WiFi networks, but it is hard to explain information about guest lists without an insider involved.
How to dodge Darkhotel? Here’s the FBI’s advice: “The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products through their hotel Internet connection. Checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack. The FBI also recommends that travelers perform software updates on laptops immediately before traveling and that they download software updates directly from the software vendor’s website if updates are necessary while abroad.”
Simpler advice is: don’t download updates when traveling. Wait until you are back in the office. Yes, there may be an important update, but odds are it’s yet another minor patch - and the odds are better that it may in fact be a targeted download that aims to conquer your computer.
Delay may keep you safer.
--Written by Robert McGarvey for MainStreet