Amid MGM, Caesars Incidents, Attackers Focus on Luxury Hotels

A fast-growing cyber campaign solely takes aim at luxury hotel and resort chains, using security-disruptive tactics to spread info-stealing malware.

Even as the effects of the
show-stopping cyberattacks
on MGM Grand and Caesars are still being felt, attackers continue to target the hospitality industry with an active phishing campaign aimed at spreading info-stealing malware. The offensive uses
social-engineering tactics
similar to the ones that
ultimately crippled
the resort-casinos this month.
The campaign, discovered by researchers at Cofense Intelligence, leverages reconnaissance emails and instant messages to bait employees at
luxury resorts and hotel chains
into a response, according to
a Cofense blog post
published Sept. 26. Once the threat actors receive a response to the initial email, they will then follow up with phishing messages that leverage several methods known to disrupt email security analysis and secure email gateways (SEGs), so that the messages reach intended targets. These tactics include the use of trusted cloud domains in the emails, password-protected archives, and executable files that are so large they can disrupt analysis, according to the report.
From the reconnaissance email all the way to the malicious payload, this campaign and its infection chain are both highly sophisticated and well-thought-out by the threat actors, Cofense cyber threat intelligence analyst Dylan Duncan wrote in the post.
This attention to detail is reflective in the success of these emails reaching intended targets, with a notable uptick in the campaign through August and into September at an alarming rate, he added. Indeed, 85% of the phishing emails observed in the campaign have been sent in the last 60 days, with September showing a higher incidence of messages than August, according to Cofense.
Threat actors make initial contact by sending an email to luxury hospitality chains and services using what they believe is a company email address. In one case, in a message that targeted a reservation email address, the threat actors purported to be a customer seeking a special medical request for their existing reservation.
These first messages dont contain malicious content, but are simply used to verify that the target email account is live. If the recipient takes the bait, the follow-up message from attackers arrives on the same day; but this one is a phishing email with a similar lure to the reconnaissance email, giving the campaign legitimacy.
The lures all warrant some sort of response from the targeted hospitality organization and are most likely very similar to what the employee is accustomed to seeing, such as a booking request or reservation change, Duncan wrote.
The emails include an infection URL hosted on a trusted cloud domain — such as Google Drive, Dropbox, or DiscordApp — from which a victim downloads a password-protected archive that contains malicious files. Fifty-eight percent of the links observed by Cofense were Google Drive files, while 49% of the archives were .ZIP files.
And while the
abuse of Google Drive
and other hosted password-protected archive platforms is a common tactic of threat actors in the phishing game to bypass security, there are other methods that the actors use to throw security researchers off the trail. For instance, as mentioned, one trick is to use a large file size to deliver malicious executables, which are in the range of around 600MB to 1GB. This disrupts analysis because most sandboxes and other analysis tools are limited in the size of files that can be scanned, he said.
The ultimate goal of the campaign is to steal employees login information for various applications used on the corporate system, and, in some cases, deliver secondary payloads. Stealers deployed by the campaign are from five known malware families —
RedLine Stealer
, Vidar Stealer, Stealc, Lumma Stealer, and Spidey Bot.
In fact, the threat actors behind RedLine and Vidar recently were seen
pivoting to ransomware
using similar tactics for delivering their stealers, demonstrating how easily a phishing campaign can lead to a full-blown ransomware attack like the ones that
recently took down MGM and Caesars.
Cofense did not elaborate on any known successful attacks.
The phishing campaign also has a high chance of success, not just because of how many messages it lands, but also because the targets are likely not especially tech-savvy, Duncan says.
The targets of these campaigns are not likely to be cybersecurity professionals, but rather just your every-day user that is specialized in areas fit for their job, he says.
In this case, the most practical defense a likely campaign target can employ is to
educate these employees
on general phishing concepts, as well as inform them of the existence of malicious campaigns like the one discovered by Cofense, Duncan says.
On the technical front, organizations should block downloads from sites being abused by the campaign that their business does not typically support, such as blocking downloads from Google Drive or DiscordApp if the company does not conduct legitimate business on those sites, he adds.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Amid MGM, Caesars Incidents, Attackers Focus on Luxury Hotels