Brian Krebs reports that the US Secret Service is warning those in the hospitality industry to beware of keylogging devices being attached to publically accessible computers, quoting a circular stating that the “malicious actors were able to utilize a low cost, high impact strategy to access a physical system, stealing sensitive data from hotels and subsequently their guest’s information.”
Public machines are a great choice for such operations as they are often used by people who are ‘caught out’ whilst vacationing and suddenly have need to transfer some cash to cover an unexpected expense or have a quick look at their work email. The diverse mix of people you would get in such an establishment would provide ample opportunity and expose the perpetrators to little risk, especially with the newer generation keylogging devices which are self powered (via 5V from the USB bus) and allow for remote dumping of their buffer (which can be extremely large, i.e. megabytes) via bluetooth from some distance away. Having to only touch the computer once (to plant the keylogger) is a definite advantage. A member of the cleaning crew could potentially swap a computer keyboard for one of the same design which has had the keylogging component secreted inside the keyboard’s enclosure, making detection via simple visual inspection highly unlikely.
Mike the Crypto Goat 