The latest threat landscape report from ReliaQuest has unearthed some concerning findings regarding the critical threats faced by the hospitality and recreation sector. These include identifying a 43% increase in ransomware attacks, the discovery that 44% of phishing emails contained credential harvesters, and a staggering 433% increase in external remote services abuse.
The reporting period occurred between September 1, 2024, and February 28, 2025.
Convergence of Hospitality and Recreation
Although different in many ways, hospitality and recreation often intersect. This is primarily because many hospitality organizations offer recreational activities to enhance their customers’ experiences. Both also share a focus on technology-driven innovations, a prioritization of data-driven analytics, and a hyper-personalized approach.
Both sectors are growing rapidly. The global hospitality market is predicted to reach $5,816.66 billion by 2027, with the recreation market on course to hit $2,221.82 billion in 2029. It’s a big draw for cybercriminals looking to cash in and collect a share of this revenue.
Ransomware Attacks on the Rise
During the reporting period, 109 hospitality and recreation sector organizations had their stolen information listed for sale on data-leak sites. This figure represented a 43% increase in attacks on the sector when contrasted with the 76 organizations listed in the six months prior.
The hospitality and recreation sector’s visibility, reliance on IoT devices, and use of remote-access technologies make it an attractive target for ransomware gangs. Interestingly, although the number of gangs committing ransomware attacks in the sector fell, the leading figures look to be doubling down and focusing in on the sector.
Dubious Credentials
The ReliaQuest report found that 44% of phishing emails contained credential harvesters. Credential harvesting is a technique where cybercriminals gather a large number of a single user’s credentials at once. It’s a type of cyberattack usually deployed in conjunction with another attack, such as phishing attacks where users are taken to a fake login page.
Along with fake domains, fake social media accounts are another tactic cybercriminals use to promote fraudulent offers and entice users to click malicious links. These profiles can use time-sensitive offers to pressure an individual to make an urgent decision to avoid missing out. This is particularly applicable to gambling sites, which are attractive targets due to the large financial transactions they perform.
433% Surge in External Remote Services Attacks
The report identified how external remote services saw a 433% surge in attacks during the reporting period of September 1, 2024, to February 28, 2025, compared to the previous six months. A significant factor in this increase was a large-scale brute-force campaign detected in January 2025. This campaign used nearly 2.8 million compromised IP addresses, including residential proxies, to target edge devices like Palo Alto GlobalProtect and SonicWall NetExtender.
ReliaQuest reported a 45-fold rise in GreyMatter brute-force alerts from January 25 to January 28, highlighting the campaign’s scale in exploiting VPN vulnerabilities and using password spraying to infiltrate networks.
The report recommends implementing conditional access policies for external remote services like multifactor authentication (MFA) to secure remote services and public-facing web applications. It is also important to ensure web applications use secure coding techniques, such as prepared statements for SQL logic. Remember to enable verbose logging for external remote services such as virtual private networks (VPN).
Action Plan
ReliaQuest recommends following three steps to greatly strengthen your security posture and reduce the risk of being targeted. Namely, these are to:
- Secure remote services by enforcing MFA, implementing conditional access policies, and patching vulnerabilities in VPNs and RDPs.
- Combat impersonation through the use of DMARC, SPF, and DKIM and deploy DRP tools to detect fake social media profiles.
- Fight back against ransomware by segmenting IoT networks, blocking suspicious domains, and containing threats with automated responses.
- Tackle emerging risks by securing transactions.
- Mitigate the risk of insider threats (a threat they envisage as growing in the near future) through robust monitoring and employee engagement.
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.