Read Time: 4 Minutes
Cyber attackers, whether criminals, hacktivists or governmental actors, know that people who travel a lot on business are more likely to be high net worth individuals, often being C-level executives or other similarly important people that are worth targeting.
Of course, targeting those people individually is only one way to go. You could also attack the travel agencies directly. Which in fact, does make a lot of sense (as an attacker that is).
Travel agencies know a lot about you. Your emails addresses, phone numbers, credit card information, passport details, the destination, travel times, hotels you are sleeping in.. you name it. And having that data readily available makes those companies very interesting targets.
In 2015 only, there has been a number of attacks against travel agencies, some of the most notorious one’s being the hack of the China’s largest online travel company Ctrip and an American travel reservations platform provider Sabre. There has even been an attack against a major Australian travel insurance company called Aussie Travel Cover.
Now, admittedly both of the aforementioned agencies are rather large multinational travel agencies, and their hack did get a fair share of the media attention. But smaller organizations are not immune to cyber attacks however, they just don’t make the headlines.
CASE OF A SMALL UK-BASED TRAVEL AGENCY
In 2014, a small US-based business travel agency got their CRM and booking system hacked, causing the company almost 2 weeks of complete downtime.
While we do not know the exact financial impact, having your business down for a few weeks is not a thing to scoff at. Plus, cleaning and resetting such systems by experts will easily cost upwards of 25.000$, in addition to the legal fees and financial costs that are bound to incur. After all, somebody will need to reimburse the fraudulent charges.
Despite the rather harsh costs for a small business, the attack itself was not very sophisticated however.
While browsing industry blogs, a travel agent succumbed to an attack via a vulnerable java browser plugin. Once infected, more malware was downloaded, giving cyber attackers full access to the agent’s computer. From there, attackers were able to move laterally to other computers and ultimately to agency booking and CRM systems, where credit card numbers were stored for convenience.
And as with most of these kinds of attacks, those credit card numbers are put to criminal use. In this case, by cheer luck one of the agency’s customers contacted them after just a few days to check some suspicious charges, sparking an investigation.
SO WHAT CAN WE LEARN ABOUT THE ATTACK?
- Get the basics right: Browser-based attacks are one of the most common tools in the arsenal of cyber criminals. Keeping your web surfing secure with browsing protection, script & ad blocking and similar kinds of technologies is an important start.
- Keep that software up-to-date: Or alternatively, just get rid of the software not in use and turn off non-essential features. Vast majority of the attacks happen by leveraging existing vulnerabilities in software, and hence, by simply keeping all your software (specially that browser and its plugins!) up-to-date, you can prevent the majority of attacks. Or even better, get rid of vulnerable software like Flash, Java and Silverlight
- Secure that CRM system: Generally speaking, taking critical systems off the network, or ‘air gaping it’, is a good idea if you can do it. In the case of the travel agency however, we can easily imagine that the system has to be online as to make the reservations etc. Hence securing such a system is trickier, though there are some good basic steps you should take.
- Limit the amount of things that an employee can do within the systems. For example, agents might need to update individual credit cards, but never read whole batches of them.
- In the case of the travel agency, the agent had unlimited capability to browse online, increasing the risk of infection considerably. Hence it makes sense to limit the agents’ access to only necessary sites on computers that are connected to the critical systems.
- Don’t allow direct access to the backend systems, but rather, have an API in between that limits the actions that can be done from the endpoint, preferably to only those that are absolutely necessary for people to do their work.
CYBER ATTACKS IN ACTION:
This blog post is the second of a series of posts [Part 1], [Part 3], [Part 4],where we look at the real-life attacks against businesses. It is inspired by our upcoming eBook (also part of an ongoing series), called: CYBER SECURITY DEMYSTIFIED: Securing Business Operations. You can get the ebook from here: Read eBook