Amid MGM, Caesars Incidents, Attackers Focus on Luxury Hotels

Even as the effects of the show-stopping cyberattacks on MGM Grand and Caesars are still being felt, attackers continue to target the hospitality industry with an active phishing campaign aimed at spreading info-stealing malware. The offensive uses social-engineering tactics similar to the ones that ultimately crippled the resort-casinos this month.

The campaign, discovered by researchers at Cofense Intelligence, leverages reconnaissance emails and instant messages to bait employees at luxury resorts and hotel chains into a response, according to a Cofense blog post published Sept. 26. Once the threat actors receive a response to the initial email, they will then follow up with phishing messages that leverage several methods known to disrupt email security analysis and secure email gateways (SEGs), so that the messages reach intended targets. These tactics include the use of trusted cloud domains in the emails, password-protected archives, and executable files that are so large they can disrupt analysis, according to the report.

“From the reconnaissance email all the way to the malicious payload, this campaign and its infection chain are both highly sophisticated and well-thought-out by the threat actors,” Cofense cyber threat intelligence analyst Dylan Duncan wrote in the post.

This attention to detail is reflective in “the success of these emails reaching intended targets,” with a notable uptick in the campaign through August and into September “at an alarming rate,” he added. Indeed, 85% of the phishing emails observed in the campaign have been sent in the last 60 days, with September showing a higher incidence of messages than August, according to Cofense.

Using Cloud Services to Boost Legitimacy

Threat actors make initial contact by sending an email to luxury hospitality chains and services using what they believe is a company email address. In one case, in a message that targeted a reservation email address, the threat actors purported to be a customer seeking a special medical request for their existing reservation.

These first messages don’t contain malicious content, but are simply used to verify that the target email account is live. If the recipient takes the bait, the follow-up message from attackers arrives on the same day; but this one is a phishing email with a similar lure to the reconnaissance email, giving the campaign legitimacy.

“The lures all warrant some sort of response from the targeted hospitality organization and are most likely very similar to what the employee is accustomed to seeing, such as a booking request or reservation change,” Duncan wrote.

The emails include an infection URL hosted on a trusted cloud domain — such as Google Drive, Dropbox, or DiscordApp — from which a victim downloads a password-protected archive that contains malicious files. Fifty-eight percent of the links observed by Cofense were Google Drive files, while 49% of the archives were .ZIP files.

And while the abuse of Google Drive and other hosted password-protected archive platforms is a common tactic of threat actors in the phishing game to bypass security, there are other methods that the actors use to throw security researchers off the trail. For instance, as mentioned, one trick is to use a large file size to deliver malicious executables, which are in the range of around 600MB to 1GB. This disrupts analysis because most sandboxes and other analysis tools are limited in the size of files that can be scanned, he said.

The Ultimate Goal Is Credential Theft

The ultimate goal of the campaign is to steal employees’ login information for various applications used on the corporate system, and, in some cases, deliver secondary payloads. Stealers deployed by the campaign are from five known malware families — RedLine Stealer, Vidar Stealer, Stealc, Lumma Stealer, and Spidey Bot.

In fact, the threat actors behind RedLine and Vidar recently were seen pivoting to ransomware using similar tactics for delivering their stealers, demonstrating how easily a phishing campaign can lead to a full-blown ransomware attack like the ones that recently took down MGM and Caesars. Cofense did not elaborate on any known successful attacks.

The phishing campaign also has a high chance of success, not just because of how many messages it lands, but also because the targets are likely not especially tech-savvy, Duncan says.

“The targets of these campaigns are not likely to be cybersecurity professionals, but rather just your every-day user that is specialized in areas fit for their job,” he says.

In this case, the most practical defense a likely campaign target can employ is to educate these employees on general phishing concepts, as well as inform them of the existence of malicious campaigns like the one discovered by Cofense, Duncan says.

On the technical front, organizations should block downloads from sites being abused by the campaign that their business does not typically support, “such as blocking downloads from Google Drive or DiscordApp if the company does not conduct legitimate business on those sites,” he adds.