The United States Secret Service is warning the hospitality industry to be on the lookout for malware that steals passwords amongst other sensitive credentials from guests using public PCs in business centers, according to a recent report.
The non-public advisory was issued last Thursday, reporter at KrebsOnSecurity, Brian Krebs, reported Monday. Krebs details that the notice warned that authorities recently arrested suspects who infecting public computers at a number of major hotel business centers around Dallas/Fort Worth areas.
“In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software,” the advisory reads.
“The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts,” the warning continues. “The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”
The report is an unpleasant reminder why it is nearly never a good idea to use public PCs for anything more than casual web browsing. No matter if the PCs are within eyesight of business center employees or other workers, or even locked with limited privileges, there are a multitude of techniques attackers could use to comprise machines with malware.
The truth is, if a skilled attacker has physical access to a system, it’s more or less game over for the security of that computer. But don’t take my word for it. This maxim is among the “10 Immutable Laws of Security” as laid out by none other than Microsoft‘s own TechNet blog, which lists law #3 as: “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.”
The next hotel business center you visit may be completely locked down and secure, or it could be wide open and totally overrun with malware. The trouble is that there is no easy way for the average guest to know for sure. That’s why I routinely advise people not to use public computers for anything more than browsing the Web. If you’re on the road and need to print something from your email account, create a free, throwaway email address at yopmail.com or 10minutemail.com and use your mobile device to forward the email or file to that throwaway address, and then access the throwaway address from the public computer.
Krebs follows up with active measures guests can take when using public PCs, but notes some systems may lock down certain features to the average user. One way would be booting from a live USB, but some systems may have locked down BIOS settings not allowing for such. Unfortunately not all systems support such protections and guests and employees may be inconvenienced by these tactics.