Social Engineering Attack at Marriott Yields 300-400 Customer Credit Card Numbers

Given Marriott's general cybersecurity history, current expectations for the chain are low. Thus, a recent data breach that "only" compromised one property and "only" resulted in the theft of 300 to 400 customer credit card numbers appears relatively benign in comparison to its previous incidents: the 2014 mega-breach that impacted approximately 340 million customers worldwide (and was not disclosed until 2018), and the 2020 breach that exposed personal profile details of 5.2 million guests.

Source: CPO | Published on July 12, 2022

Roku cyber breach

The data breach occurred at the BWI Airport Marriott near Baltimore, and Marriott says it is contacting the 300 to 400 guests whose credit card information was exposed directly. A social engineering attack was carried out on a member of the hotel staff, who unwittingly granted the hacker access to the property's network.

Another data breach for Marriott, but this time it only affects one property.

According to Marriott, the attacker only had access to the BWI Airport Marriott systems for six hours. However, that was enough time to steal approximately 20GB of data. This appeared to be mostly "non-sensitive" hotel business information, but it also included the hotel's payment and reservation records, which contained customer credit card information.

Given the hotel's 310 rooms, it's possible that the attacker only accessed information for guests who were checked in at the time or had upcoming reservations; information leaked to suggests that the data breach occurred in late May 2022.

Marriott confirmed that social engineering was used and that one hotel employee was duped into giving up access to their computer, presumably over the phone. Because the associate did not have access to Marriott's larger network, the data breach appears to be limited to that property. However, the attackers apparently attempted to extort Marriott corporate for information about the data breach before releasing some of the stolen documents to the public as proof.

The hotel, which is located near Baltimore's BWI Airport, is frequently used by flight crews who are on the road. The hackers exposed full names, flight numbers and arrival times, employment position and room number, as well as credit card details (including CVV and expiry date) used for booking, for several of these crew members (generally an airline corporate card). Moreover, despite Marriott's claim that the stolen hotel business information was "non-sensitive," reports seeing wage data for employees as well as a personnel assessment for at least one person.

As automated defenses improve, social engineering is on the rise.

While ransomware and phishing attacks that deliver backdoor malware continue to reign supreme in terms of dollar amounts, recent statistics and surveys show that social engineering is becoming a more popular attack method. This could be a reaction to a general improvement in automated defenses and tools capable of reliably shutting down less skilled attackers; social engineering allows an attacker to bypass most of the technical process if they can find just one employee who is susceptible to being duped.

Neither Marriott nor the hackers responsible provided many details about how the social engineering attack was carried out, but given the circumstances, it was most likely carried out by pretending to be from Marriott technical support staff and convincing the victim to either visit a phishing page, directly tell them what their login credentials were, or open up a remote desktop connection, allowing the attackers to walk in without credentials.

For years, the latter of these social engineering possibilities has been a common scam, with the scammer frequently calling on the phone, pretending to be from Microsoft's technical support team, and convincing the victim to open a remote session due to detection of a "virus" or "intrusion" or something similar. Remote desktop scams, like many other types of cybercrime, increased in 2020 as companies transitioned to work-from-home models for many of their employees.

And, while cryptocurrency experienced a lull in 2022, its recent massive surges prompted a surge in new social engineering activity on social platforms such as Facebook and Instagram. The most common scams are "romance fraud" and "fake cryptocurrency investment opportunities." Though these attackers are typically looking for victims to send them money, there is no reason why they cannot be modified to fish for credentials or entry points into a company network by approaching employees in their personal online lives.

According to Roger Grimes, data-driven defense evangelist at KnowBe4, social engineering awareness training should be included in routine company data breach efforts that focus on phishing and malware: "Organizations must ensure that all employees are regularly educated about this type of social engineering, with training at least once a month followed by simulated phishing tests to determine how well employees understood and implemented the training." Employees who are found to be vulnerable to this type of phishing attack should be required to undergo additional and longer training until they develop a natural instinct to put these types of attacks."

Egress' Jack Chapman, VP of Threat Intelligence, agrees, but adds that policy and technology must also be updated to combat the growing threat of a social engineering data breach: "Many organizations have implemented security awareness training programs in an attempt to prevent social engineering attacks such as phishing, but training alone is insufficient to mitigate the risks." To protect their people from this type of attack, organizations must deploy a combination of the right technology, policies, and training."

According to Steve Moore, Exabeam's chief security strategist, the "technology" portion of this should focus on mitigation measures to contain the attacker once they have tricked an employee into giving up access: "Even with social engineering, the adversary typically employs a short list of post-contact methods." As a result, defenders must concentrate on the facts of what is to come - credential theft and misuse, as well as deviant behavior."