BAD USB – Hospitality


A hospitality company was awarded with a $50 Best-Buy gift card in a letter which also included a USB thumb drive. Once plugged in, the USB would present a list of items which could be bought with the gift card. The company did not give in to the phishing attempt and contacted security experts from a cybersecurity firm instead, who revealed that the company encountered a so-called BadUSB attack. This was not the first targeted attack on the hospitality industry, as previous threat actors such as DarkHotel and RevengeHotels are known to be active in this industry. What stands out in this attack is the fact that a physical rogue device was used, capable of impersonating as a legitimate keyboard, which goes “below Radar” of existing EPS/EDR solutions – Only diving “deeper” into the physical layer can provide the adequate protection.

Download Case Study