The UK’s intelligence agency, GCHQ, is strongly warning UK holidaymakers to take care of their digital privacy while holidaying this year. The dire warning comes amid revelations that many people may be falling victim to cybercriminals and hackers while using public WiFi on vacation this year.
The warning comes via GCHQ’s National Cyber Security Centre (NCSC): a joint government and industry resource designed to protect the British public and infrastructure from cyberattacks. The experts at GCHQ are warning people to avoid insecure public WiFi hotspots in cafes, hotels, airports, and restaurants due to the fact that they have been infiltrated with malware and pose a considerable risk.
According to GCHQ, the attacks are being carried out by the (supposedly Russian) hackers known as APT28 (AKA Fancy Bears). Those are the same hackers who recently made the news for leaking information about worldwide soccer doping.
The hackers, who are often also linked to the hack of the Democratic National Convention during last year’s US presidential elections, are famous for their #OpOlympics campaign in which they leaked the positive drug test results of a number of professional athletes.
Holidaymakers are being advised to strengthen their email passwords, set up two-factor authentication, and make sure all their apps are up to date before departing on their summer holidays. According to the threat report, Fancy Bear hackers have set up fake WiFi hotspots in up to seven holiday resorts around Europe.
GCHQ says that accessing email accounts is one of the main aims of the campaign. It is warning British holidaymakers that they could be targeted because of the “sensitive information” that their accounts contain.
In its message to the general public, the UK’s NCSC warns:
"Fancy Bears have allegedly been seeking access to hotel Wi-Fi networks to install malware on guest devices connecting to targeted networks. According to researchers, the attackers may have been able to gain access to victims’ data, including emails, and to harvest online credentials.
"The hacking campaign, which has been noted predominantly in mid-upmarket hotels in European capitals and the Middle East, could be targeting foreign government and business travellers. Travellers should be aware of their digital security when travelling overseas. Where possible, travellers are advised not to connect to insecure or untrusted Wi-Fi networks."
The revelations about the WiFi hacking campaign come courtesy of the renowned cybersecurity firm FireEye. According to the FireEye researchers, the APT28/FancyBears hackers have been using an exploit stolen from the NSA’s elite hackers, known as “Equation Group.” That exploit is called Eternal Blue and was responsible for a number of big cyberattacks this year, including the WannaCry and Petya.A attacks.
That exploit leverages a version of Windows' Server Message Block (SMB) networking protocol to quickly spread through networks. It was stolen from the NSA over a year ago by another shady group of hackers known as the Shadow Brokers.
FireEye says that the attack on holiday resorts begins with a spear-phishing campaign. Emails are sent to hotels and other businesses. The messages are ‘socially engineered’ to appear authentic and important. Once a member of staff has been duped into opening an attachment within the email, the hackers deliver a payload of malware onto the victim’s network.
FireEye’s report describes the malware as an exploit called “Game Fish.” It claims that malware is well known for being APT28/FancyBears’ “signature” payload. According to the researchers, once the payload has been deployed it uses the NSA’s Eternal Blue to find its way deeper into hotel systems in search of the machines that run the WiFi.
Once there, more malware is deployed, known as “Responder tool.” That exploit allows the hackers to access any credentials, logins, passwords, and even credit card details entered by holidaymakers during their stay.
For the meantime, it remains unclear whether Fancy Bears are actually responsible for this attack. FireEye has openly admitted that it is only "moderately confident" that Fancy Bears are in fact carrying out this attack.
This campaign - which it is claimed is targeting the general public - certainly seems to stand at odds with the hacking efforts the Fancy Bears group has mounted thus far. Those past efforts can best be described as a form of cyber-vigilantism. As such, it seems possible that even if it is Fancy Bears, it is more likely that specific businessmen and political targets (as opposed to general holidaymakers) are the targets.
No Room to Relax
In reality, this string of cyberattacks (on seven European and one Middle Eastern resort) could be being carried out by just about anyone. Exploits spread, and are sometimes sold for a profit. For this reason, it is possible that the signature “Game Fish” malware, which appears to incriminate Fancy Bears, has fallen into someone else's hands.
In addition, it is worth noting that this is nothing new. Fake malware hotspots controlled by hackers, and public WiFi that has been infiltrated by cybercriminals, are a constant danger all over the world. Once unsuspecting people connect to any of those infected hotspots, it is easy for hackers to see all of the traffic coming and going from their smartphones, laptops, and tablets.
For hackers, this is an easy way to steal credentials and passwords in order to access email accounts and PayPal accounts, or to steal credit card credentials that are entered while making purchases.
A VPN Is the Best Form of Protection
If you're worried about joining infected networks or fake WiFi hotspots while traveling, the best solution is to use a trusted and reliable Virtual Private Network (VPN). A VPN is an online subscription service that securely encrypts all the data coming and going from your device(s). That military grade, end-to-end encryption makes it impossible for hackers to access your data.
A VPN is so effective that using one means anybody would be fine connecting to a hacker's fake WiFi hotspot to do some shopping with a credit card. Unlike other victims who join the cybercriminal's fake WiFi hotspot (who would easily be frisked of their details as they entered them), a VPN user’s data is completely scrambled by the VPN’s encryption.
For this reason, a VPN is an excellent traveling companion. It allows you to use public WiFi in a relaxed manner, safe in the knowledge that your data is secure. In addition, of course, holidaymakers should do as GCHQ suggests and use two-factor authentication, strong passwords, and fully updated apps. Finally, it is well worth looking at our travel security guide.
Opinions are the writer's own.
Title image credit: J. Lekavicius/Shutterstock.com
Image credits: fizkes/Shutterstock.com, Artem Oleshko/Shutterstock.com