close
close

Spyware found on computers checking into US hotels

Posted on by darion

TechCrunch has learned that a consumer-grade spy app has been detected in the check-in systems of at least three Wyndham hotels across the United States.

An app called pcTattletale secretly and continuously captured screenshots of hotel reservation systems that contained detailed information about guests and customers. Thanks to a spyware vulnerability, screenshots are available to anyone on the Internet, not just the targeted spyware users.

This is the latest example of consumer-grade spyware revealing sensitive information due to a security vulnerability in the spyware itself. This is also the second known case of pcTattletale disclosing screenshots of devices on which the application is installed. Several other spy apps in recent years have suffered from security bugs or misconfigurations that exposed private and personal data to unsuspecting device owners, in some cases prompting action by government regulators.

Guest and booking details intercepted and exposed

pcTattletale allows the person controlling it to remotely view the target Android or Windows device and its data from anywhere in the world. According to the pcTattletale website, the app “runs invisibly in the background on workstations and cannot be detected.”

However, the bug means that any Internet user who understands how the vulnerability works can download screenshots captured by the spyware directly from pcTattletale’s servers.

Security researcher Eric Daigle told TechCrunch he discovered compromised hotel check-in systems as part of an investigation into consumer spyware. These apps are often referred to as “stalkerware” because of their ability to track people – including spouses and domestic partners – without their knowledge or consent.

Daigle said he tried to alert pcTattletale about the issue, but the company did not respond and, at the time of publication, the bug had not been fixed. Daigle revealed limited details about the pcTattletale leaked screenshot bug in a short blog post, without providing specifics so as not to help bad actors exploit the vulnerability.

Daigle said pcTattletale periodically takes new screenshots of the device the app is running on, sometimes every few seconds.

Screenshots of two Wyndham hotels seen by TechCrunch show the names and booking details of guests on an online portal provided by travel tech giant Saber. Screenshots of online portals also show partial numbers of guests’ payment cards.

Another screenshot showed access to the check-in system at a third Wyndham hotel, which was then logged into the Booking.com administration portal used to manage guest reservations.

It’s unclear who installed the app and how – for example, whether hotel employees were tricked into installing it or whether the hotel owner intended the spyware to be used to monitor employee behavior. pcTattletale advertises itself as, among other things, a way to monitor employees.

The manager of one of the affected hotels told TechCrunch over the phone that he was unaware that the spyware was taking screenshots of their check-in computers. Managers of the other two hotels did not respond to TechCrunch’s calls and emails. TechCrunch is not naming specific hotels given the risk of retaliation against hotel workers.

Wyndham spokesman Rob Myers told TechCrunch in an email: “Wyndham is a franchised organization, which means all of our U.S. hotels are independently owned and operated.” Wyndham would not say whether it knew that pcTattletale was used on computers at the front desk of its branded hotels, or whether the use of pcTattletale was approved by Wyndham’s own policies.

Booking.com told TechCrunch that the spyware did not compromise its own systems, but this case appears to be an example of how cybercriminals target hotel systems to gain access to hotel accounts.

“Some of our accommodation partners have unfortunately been targeted by very convincing and sophisticated phishing tactics, encouraging them to click on links or download attachments outside our system, which allows malware to be loaded onto their computers and, in some cases, leads to unauthorized access to their account Booking.com,” said Angela Cavis, spokeswoman for Booking.com. “These bad actors then try to impersonate the partner (or even Booking.com) – sometimes in a very convincing way – and demand payment from customers in violation of the rules contained in the booking confirmation.”

BBC News reported in December last year that cybercriminals gained access to the administrative portals of individual hotels using Booking.com. With this access, the criminals would then send messages to customers using the company’s app to trick them into paying them instead of the hotel.

It is not known whether pcTattletale or other spyware is linked to the earlier incidents, and Booking.com said it was investigating.

“All Songs Covered”

There is a long history of stalkerware apps that purport to advertise themselves for legitimate purposes – tracking your own children is legal in the United States – but also promote or explicitly say that these apps can be used to attack people without their knowledge, often spouses and partners national, which is illegal.

pcTattletale is marketed as child and employee monitoring software, but the company also promotes its app for use against “spouses who worry their partner may be cheating.”

screenshot of the pcTattletale membership portal where the question appears "Do you want your users to know that they are being monitored," and if the user says "NO," shows the download window with the text: "Users will not know that pcTattletale is installed and running. Remote installation service screenshot of the pcTattletale membership portal where the question appears "Do you want your users to know that they are being monitored," and if the user says "NO," shows the download window with the text: "Users will not know that pcTattletale is installed and running. Remote installation service

A screenshot of the pcTattletale Member Portal, which allows users to download a monitoring app that “users will not be aware that pcTattletale is installed and running.” Image credits: TechCrunch (screenshot)

pcTattletale develops spy apps for Android and Windows, and both apps require physical access to the target device to install. According to TechCrunch’s own spyware testing and analysis, pcTattletale provides a one-click Windows spyware application that can be installed in seconds.

pcTattletale also offers a service called “We’ll do it for you,” which the company says will help install spyware on the target computer on behalf of the customer.

“We placed pcTattletale on their Windows computer for you. You just need to choose the right moment,” the pcTattletale website informs customers on its members’ portal. “You will receive an email with instructions allowing us to access their computer. It will take us about 10 minutes. They won’t leave any traces. All traces covered.” A link is then sent to the customer allowing our technician (sic) to access the computer.”

Bryan Fleming, founder and administrator of pcTattletale, did not respond to TechCrunch’s request for comment.

To contact this reporter, contact Signal and WhatsApp at +1 646-755-8849 or email. You can also send files and documents via SecureDrop.