Spyware found on US hotel check-in computers

Featured Article
Comment
A consumer-grade spyware app has been found running on the check-in systems of at least three Wyndham hotels across the United States, TechCrunch has learned.
The app, called pcTattletale, stealthily and continually captured screenshots of the hotel booking systems, which contained guest details and customer information. Thanks to a security flaw in the spyware, these screenshots are available to anyone on the internet, not just the spyware’s intended users. 
This is the most recent example of consumer-grade spyware exposing sensitive information because of a security flaw in the spyware itself. It’s also the second known time that pcTattletale has exposed screenshots of the devices on which the app is installed. Several other spyware apps in recent years had security bugs or misconfigurations that exposed the private and personal data of unwitting device owners, in some cases prompting action by government regulators.
pcTattletale allows whomever controls it to remotely view the target’s Android or Windows device and its data, from anywhere in the world. pcTattletale’s website says the app “runs invisibly in the background on their workstations and can not be detected.”
But the bug means that anyone on the internet who understands how the security flaw works can download the screenshots captured by the spyware directly from pcTattletale’s servers. 
Security researcher Eric Daigle told TechCrunch that he found the compromised hotel check-in systems as part of an investigation into consumer-grade spyware. These apps are often referred to as “stalkerware” for their ability to be used to track people — including spouses and domestic partners — without their knowledge or consent. 
Daigle said he attempted to warn pcTattletale of the issue, but the company has not responded, and the flaw remains unfixed at the time of publication. Daigle disclosed limited details of pcTattletale’s leaking screenshot bug in a short blog post, without providing specifics so as to not help bad actors take advantage of the flaw. 
Daigle said pcTattletale periodically takes new screenshots of the device that the app is running on, sometimes every few seconds.
The screenshots from two Wyndham hotels, seen by TechCrunch, show the names and reservation details of guests on a web portal provided by travel tech giant Sabre. The screenshots of the web portals also display guests’ partial payment card numbers.
Another screenshot showed access to a third Wyndham hotel’s check-in system, which at the time was logged into Booking.com’s administration portal used to manage a guest’s reservation.
It’s not known who planted the app or how the app was planted — for example, if hotel employees were tricked into installing it, or if the hotel owner intended the spyware to be used to monitor employee behavior. pcTattletale markets itself as a way to monitor employees, among other uses.
The manager of one affected hotel told TechCrunch by phone that they were unaware that the spyware was taking screenshots of their check-in computer. The managers of the other two hotels did not return TechCrunch’s calls or emails. TechCrunch is not naming the specific hotels given the risk of retaliation against hotel employees.
Wyndham spokesperson Rob Myers told TechCrunch in an email: “Wyndham is a franchise organization, meaning all of our hotels in the U.S. are independently owned and operated.” Wyndham would not say if it was aware that pcTattletale was used on the front-desk computers of its branded hotels or if the use of pcTattletale was approved by Wyndham’s own policies.
Booking.com told TechCrunch that its own systems were not compromised by the spyware, but that this case seemed like an example of how hotel systems are targeted by cybercriminals to get access to the hotel’s accounts.
“Some of our accommodation partners have unfortunately been targeted by very convincing and sophisticated phishing tactics, encouraging them to click on links or download attachments outside of our system that enable malware to load on their machines and in some cases, lead to unauthorized access to their Booking.com account,” said Angela Cavis, a spokesperson for Booking.com. “These bad actors then attempt to impersonate the partner (or even Booking.com) — sometimes very convincingly — to request payment from customers outside of the policy in their booking confirmation.”
BBC News reported last December that cybercriminals had obtained access to the administration portals of individual hotels that use Booking.com. With this access, the criminals then sent messages to customers from the company’s app to trick them into paying them instead of the hotel. 
It’s not known if pcTattletale or other spyware is linked to previous incidents, and Booking.com said it was investigating.
There is a long history of stalkerware apps that ostensibly market themselves for legitimate uses — tracking your own children is legal in the United States — but also promote, or outright say, that the apps can be used to target people without their knowledge, often spouses and domestic partners, which is unlawful.
pcTattletale is sold under the guise of child and employee monitoring software, but the company also promotes its app for use against “spouses who worry that their partner might be cheating.” 
pcTattletale develops spyware apps for Android and Windows and both apps require physical access to a target’s device to install. pcTattletale provides its Windows spyware app as a one-click download that can be installed in a few seconds, according to TechCrunch’s own tests and analysis of the spyware. 
pcTattletale also offers a service called “We Do It For You,” which the company says will help install the spyware on the target’s computer on the customer’s behalf. 
“We put pcTattletale on their Windows Computer for you. Just pick a time,” pcTattletale’s website tells customers inside its members’ portal. “You will get an email with instructions for us to access their computer. It takes us about 10 minutes. No traces left behind. All tracks covered.” The customer is then sent a link “for our techncian [sic] to access the computer.”
Bryan Fleming, who founded and maintains pcTattletale, did not respond to TechCrunch’s request for comment. 
To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.
Every weekday and Sunday, you can get the best of TechCrunch’s coverage.
Startups are the core of TechCrunch, so get our best coverage delivered weekly.
The latest Fintech news and analysis, delivered every Sunday.
TechCrunch Mobility is your destination for transportation news and insight.
By submitting your email, you agree to our Terms and Privacy Notice.
Silo, a Bay Area food supply chain startup, has hit a rough patch. TechCrunch has learned that the company on Tuesday laid off roughly 30% of its staff, or north…
President Joe Biden needs a meme manager.
Featured Article
Meanwhile, women and people of color are disproportionately impacted by irresponsible AI.
If you’ve ever wanted to apply to Y Combinator, here’s some inside scoop on how the iconic accelerator goes about choosing companies.
Indian ride-hailing startup BluSmart has started operating in Dubai, TechCrunch has exclusively learned and confirmed with its executive. The move to Dubai, which has been rumored for months, could help…
Under the envisioned framework, both candidate and issue ads would be required to include an on-air and filed disclosure that AI-generated content was used.
Want to make a founder’s day, week, month, and possibly career? Refer them to Startup Battlefield 200 at Disrupt 2024! Applications close June 10 at 11:59 p.m. PT. TechCrunch’s Startup…
Social networking startup and X competitor Bluesky is officially launching DMs (direct messages), the company announced on Wednesday. Later, Bluesky plans to “fully support end-to-end encrypted messaging down the line,”…
The perception in Silicon Valley is that every investor would love to be in business with Peter Thiel. But the venture capital fundraising environment has become so difficult that even…
Featured Article
Several hotel check-in computers are running a remote access app, which is leaking screenshots of guest information to the internet.
Gavet has had a rocky tenure at Techstars and her leadership was the subject of much controversy.
The struggle isn’t universal, however.
Featured Article
The tech layoff wave is still going strong in 2024. Following significant workforce reductions in 2022 and 2023, this year has already seen 60,000 job cuts across 254 companies, according to independent layoffs tracker Layoffs.fyi. Companies like Tesla, Amazon, Google, TikTok, Snap and Microsoft have conducted sizable layoffs in the first months of 2024. Smaller-sized…
HoundDog actually looks at the code a developer is writing, using both traditional pattern matching and large language models to find potential issues.
The changes are designed to enhance the consumer experience of using Google Pay and make it a more competitive option against other payment methods.
Few figures in the tech industry have earned the storied reputation of Vinod Khosla, founder and partner at Khosla Ventures. For over 40 years, he has been at the center…
AI has already started replacing voice agents’ jobs. Now, companies are exploring ways to replace the existing computer-generated voice models with synthetic versions of human voices. Truecaller, the widely known…
Meta is updating its Ray-Ban smart glasses with new hands-free functionality, the company announced on Wednesday. Most notably, users can now share an image from their smart glasses directly to…
Spotify launched its own font, the company announced on Wednesday. The music streaming service hopes that its new typeface, “Spotify Mix,” will help Spotify distinguish its own unique visual identity. …
In 2008, Marty Kagan, who’d previously worked at Cisco and Akamai, co-founded Cedexis, a (now-Cisco-owned) firm developing observability tech for content delivery networks. Fellow Cisco veteran Hasan Alayli joined Kagan…
A dodgy email containing a link that looks “legit” but is actually malicious remains one of the most dangerous, yet successful, tricks in a cybercriminal’s handbook. Now, an AI startup…
If you’ve been looking forward to seeing Boeing’s Starliner capsule carry two astronauts to the International Space Station for the first time, you’ll have to wait a bit longer. The…
TikTok is the latest tech company to incorporate generative AI into its ads business, as the company announced on Tuesday that it’s launching a new “TikTok Symphony” AI suite for…
Gone are the days when space and defense were considered fundamentally antithetical to venture investment. Now, the country’s largest venture capital firms are throwing larger portions of their money behind…
These days every company is trying to figure out if their large language models are compliant with whichever rules they deem important, and with legal or regulatory requirements. If you’re…
Link-in-bio startup Linktree has crossed 50 million users and is rolling out the beta of its social commerce program.
For a $5.99 per month, immigrants have a bank account and debit card with fee-free international money transfers and discounted international calling.
When developers have a particular job that AI can solve, it’s not typically as simple as just pointing an LLM at the data. There are other considerations such as cost,…
Response time is Aerodome’s immediate value prop for potential clients.
Granola takes a more collaborative approach to working with AI.
Powered by WordPress VIP

source
Sponsor:News technical sponsor
Sponsor:News AI sponsor
Sponsor: AI sponsor
Sponsor: AI sponsor

Leave a Comment

Vélemény, hozzászólás?

Az e-mail címet nem tesszük közzé. A kötelező mezőket * karakterrel jelöltük