AI Cyberattacks Hit Mexican Hotels, RevengeHotels Resurfaces

A new wave of cyberattacks using AI is compromising the security of the hotel industry in Mexico. The attacks have been linked to the cybercriminal group RevengeHotels, and focused on stealing guest financial information through advanced phishing techniques that breach hotel systems, according to research from Kaspersky.

“The hotel sector in Mexico is one of the most attacked in the private sphere," says David Merino, Vice President of Cybersecurity Risk Prevention and Compliance Officer, Concanaco Servytur. "Hotels handle large volumes of data, not only internal but especially financial and banking information from guests. This high concentration of sensitive data makes each establishment a high-value target for malicious actors.”

The recent attack campaign, identified by Kaspersky’s Global Research and Analysis Team (GReAT), represents a significant evolution in cybercrime tactics. Traditionally, attacks relied on deploying ransomware to hijack systems for a ransom payment. The integration of AI into the operations of groups like RevengeHotels, however, has elevated the level of sophistication and risk. The objective is no longer solely extortion but stealthy infiltration to exfiltrate critical data, mainly bank card information and system access credentials.

The attack methodology relies on social engineering through phishing emails. These emails, crafted with AI assistance to be highly persuasive, simulate reservation requests or job applications sent to hotel staff. When employees interact with the attached documents, they unknowingly download VenomRAT, a Remote Access Trojan (RAT). This malware gives attackers complete control over the infected computer, allowing them to monitor activity, escalate privileges within the network and ultimately extract data from point-of-sale and reservation management systems.

The RevengeHotels campaign is not confined to Mexico. Its reach has extended to multiple countries in Latin America, including Argentina, Bolivia, Brazil, Chile and Costa Rica, in addition to Spain. The accessibility of the malware contributes to the proliferation of these attacks. According to Kaspersky, VenomRAT is sold on dark web forums for about US$650, lowering the entry barrier for smaller criminal groups.

This trend also reveals a deliberate strategy to focus on SMEs. Merino says that "attacking several small companies each week is less risky and more profitable than confronting large groups that do have firewalls, virtual servers, and software with AI to monitor their systems." SMEs, which comprise a majority of the hotel sector, often lack the budgets and specialized personnel to implement robust defenses, making them easier and more numerous targets.

The attack on MGM in Las Vegas two years ago, where malware paralyzed critical services such as reservations, payment systems, and electronic locks, showcases the operational and financial consequences such a cyberattack can cause. The incident reportedly forced the company to pay a ransom to restore its operations. This trend of targeted and technologically advanced attacks is expected to continue, demanding greater investment in cybersecurity and staff training across the industry.