Skip to main content

Darkhotel Cyberattack Hits Travelers Over Hotel Wi-Fi

Credit: Alex Kalmbach/Shutterstock

(Image credit: Alex Kalmbach/Shutterstock)

Connecting to hotel Wi-Fi has always come with a certain amount of risk. Sometimes hackers can't resist messing with a system; often, thieves take advantage of relatively open networks to prey on travelers. 

The information-stealing operation called Darkhotel (or sometimes Tapaoux) takes the latter scenario to the next level. Discovered by Moscow-based security company Kaspersky Lab, Darkhotel is a series of advanced attacks that started in 2009, targeting specific individuals as they visited hotels, mostly in East Asia. 

MORE: 15 Best Privacy and Security Apps

According to Kaspersky Lab, Darkhotel attacks begin when targets first connect to a hotel Wi-Fi network. The targets are shown see benign-looking prompts urging them to update software such as Adobe Flash, Windows Messenger or Google Toolbar. But these updates also contain a type of malware called a Trojan dropper bundled along with them.

This Trojan installs itself as a back door on infected computers, through which attackers can install even more malware.

The bogus updates don't appear for just anyone who connects to the Wi-Fi network of an affected hotel. Kaspersky Lab found that Darkhotel targets specific individuals, usually executives and important persons connected to large-scale manufacturing companies, defense contractors, law-enforcement agencies, non-governmental organizations, military branches and investment and private equity firms. 

"The most interesting thing about this delivery method is that the hotels require guests to use their last name and room number to login, yet only a few guests received the Darkhotel package," Kaspersky Labs wrote in its report.

In many cases, the Darkhotel attackers seemed to know the names, room numbers and expected check-in and check-out dates of their targets.

"When visiting the same hotels, our honeypot research systems couldn't attract a Darkhotel attack. This data is inconclusive, but it points to misuse of check-in information," the report reads.

Since the Darkhotel campaign first became active in 2009, Japan has seen approximately two-thirds of the total number of Darkhotel attacks. The attacks have also occurred in Taiwan, China, Russia, Korea, Hong Kong, Indonesia, Germany, the United States and Ireland.

Who's behind the Darkhotel attacks? Kaspersky Lab isn't sure. The Darkhotel malware is signed with cryptographic certificates, but these use relatively weak encryption keys and appear to have been cracked and stolen.

The group has also been observed using an Adobe Flash zero-day, or previously unknown, flaw to conduct spear-phishing attacks. Zero-days can sell for thousands or millions of dollars; the fact that Darkhotel's creators have access to one suggests they may have financial or nation-state backing. 

Darkhotel is still an ongoing attack, so Kaspersky has not yet released the names of the affected hotels.

"While the exact reason why some hotels function as an attacker vector are unknown, certain suspicions exist, indicating possibly a much larger compromise," the company wrote in its report.

There is some good news. Because the attacks are so specifically targeted, few travelers will be in danger from Darkhotel attacks. If you believe you are indeed at risk, avoid connecting to hotel Wi-Fi networks or to any other public or untrusted networks. Instead, use a mobile hotspot to get Internet access.

"[Darkhotel] paints a dark, dangerous web in which unsuspecting travelers can easily fall," the report concludes.

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, onFacebook and on Google+.