ShellTea PoS Malware Threatens the Hospitality Industry

When you stay at a hotel, the last thing you want to worry about is whether or not your credit card data is safe. Well, if ShellTea has silently invaded the network of the hotel you are staying at, this data is not safe. Of course, there is nothing you can do about it because it is the hotel’s responsibility to take care of this. This malware was created by FIN8, and Morphisec Labs observed it attacking operating systems in the spring. Unfortunately, it is impossible to say whether or not there will be no other attacks from this group targeting hotels. In fact, the last time this malware was seen was back in 2017, and so we really cannot know when this malware will strike next.

We cannot answer the question as to why the attackers behind ShellTea have decided to target hotels, but that might be due to the fact that many businesses in the hospitality industry use outdated antivirus tools, receive credit card transactions every day, and continue to run the Windows 7 operating system. According to recent statistics, 32% of businesses use this operating system. What’s wrong with it? Well, first of all, Microsoft will stop releasing updates for this OS on January 14, 2020. That does not leave a lot of time for businesses to convert to Windows 10. Of course, with appropriate security tools, Windows users might be able to successfully run outdated versions, but businesses should not take this gamble. Unfortunately, even now, Windows 7 is flawed, and if security updates are not installed in time, security backdoors might allow cybercriminals to attack.

Most likely, the attackers are using phishing attacks to trick unsuspecting targets into executing the devious ShellTea. Undoubtedly, hotels receive plenty of emails every day, and so they might have experience dealing with spam too. Unfortunately, cybercriminals can set up extremely convincing messages, or less experienced employees could be tricked by them. The emails might contain links or attachments that, if clicked, can lead to the execution of ShellTea. Of course, the threat is executed silently, and if reliable security defenses are not set up to stop and delete the infection before it slithers in, the attackers can step in.

According to malware experts who discovered the infection, it can record information about the hotel, the network of computers, the infected machine, the operating system, and, of course, the customers. To gather even more information, ShellTea could start grabbing screenshots. PoS (point of sale) malware is usually used to gather credit card data, which might include personal data about the customers too, but ShellTea is likely to be more intrusive than that. While this malware might not be actively deployed at this time, the attackers behind it could be creating a stronger version or a version targeted at a different industry. Whatever the case might be, this is an infection that needs to be paid attention to.

Undoubtedly, hotels and other businesses within the hospitality industry need to take all security measures to ensure that ShellTea cannot take over their systems and silently gather information about the businesses and their clients. Unfortunately, the consequences of a successful data breach can be dire, and successful attacks might result in expensive lawsuits, fines, invasive inspections, and, of course, distrust from future clients. Hopefully, there’s time to take appropriate security measures. If you are a regular client, and you discover unfamiliar credit card charges after visiting a hotel or any other business that accepts credit cards, make sure you contact your bank immediately. They might be able to ensure your safety in the future, and they might even be able to get you your money back.


Gorelik, M. June 10, 2019. FIN8 is Back in Business, Targeting the Hospitality Industry. Morphisec Labs.
Spiceworks. June, 2019. The Future of Network and Endpoint Security. Spiceworks.

Leave a Comment

Enter the numbers in the box to the right *