Kaspersky identifies Darkhotel is a group of attackers that “seems to know in advance when these individuals will arrive and depart from their high-end hotels. So, the attackers lay in wait until these travelers arrive and connect to the Internet.” The Kaspersky report issued on November 10, 2014 is entitled “THE DARKHOTEL APT A STORY OF UNUSUAL HOSPITALITY” and should be disturbing to everyone who travels, and particularly in Japan since “over 90% of it occurs in the top five countries: Japan, followed by Taiwan, China, Russia and Korea.”
eWeek reported that Darkhotel was a:
cyber-espionage group has compromised the computer systems of corporate executives by infecting the networks of the hotels where they typically stay and then serving up malware while they connected to the Internet.
Here is how Darkhotel spreads:
The Darkhotel APT’s precise malware spread was observed in several hotels’ networks, where visitors connecting to the hotel’s Wi-Fi were prompted to install software updates to popular software packages.
Of course, these packages were really installers for Darkhotel APT’s backdoors, added to legitimate installers from Adobe and Google. Digitally signed Darkhotel backdoors were installed alongside the legitimate packages.
The most interesting thing about this delivery method is that the hotels require guests to use their last name and room number to login, yet only a few guests received the Darkhotel package. When visiting the same hotels, our honeypot research systems couldn’t attract a Darkhotel attack. This data is inconclusive, but it points to misuse of check-in information.
By the tone of this Kaspersky Report apparently many travelers are unaware of the privacy threats from the likes of Darkhotel.