This particular gang used stolen credit cards to register as guests at the hotels in question, and then freely used the computers in the hotel business center. They would log into their Gmail account, download from it and execute key logging software.
"The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts. The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers," the advisory states.
"The attacks were not sophisticated, requiring little technical skill, and did not involve the exploit of vulnerabilities in browsers, operating systems or other software. The malicious actors were able to utilize a low-cost, high impact strategy to access a physical system, stealing sensitive data from hotels and subsequently their guests' information."
The NCCIC is advising hospitality companies to, among other things, limit guest accounts to non-administrator accounts, so that attackers can't download and install malware, but Brian Krebs pointed out that this is not a solution for foiling today’s keyloggers and malware.
There is no foolproof way to protect systems from skilled attackers that have physical access to them, he says, so the onus is on the users to keep their data secure. For one, they should always assume that a computer that doesn't belong to them isn't secure, and should abstain from performing any action that could compromise their private and financial information, as well as account credentials.