Travelex currency exchange service taken down by malware attack

The New Year's Eve malware attack rendered Travelex customers being unable to order currency online

Travelex was attacked by unknown malware on New Year's Eve - all online services suspended; company forced to perform manual operations instead

London-based currency exchange company Travelex experienced a major malware attack on December 31st – it forced an immediate shut down of its UK website, as well as online services, such as currency ordering. Those that try to access the website are met with the runtime error message, although the company suggests that the site was taken down due to “planned maintenance,” as well as the “software virus” attack.

It is yet unknown what type of malware has hit Travelex, as the official Twitter statement^[1] did not name anything in particular:

Statement on IT issues affecting Travelex services

Travelex confirms that a software virus was discovered on New Year's Eve which has compromised some of its services. As a precautionary measure, in order to protect data and prevent spread of the virus, we immediately took all our systems offline.

Travelex is the largest international foreign currency exchange company founded back in 1976, and currently operates more than 1,000 stores and 1,000 cash machines in 26 countries, with its primary locations being airports, train stations, and others.^[2] The implications of the Travelex malware attack, depending on the nature of malicious software, might be disastrous.

While the investigation is still in its early stage and there are no details on what malware is affecting the company's services or how it managed to get in, Travelex claimed that no customer information was affected due to the incident.

Barclays, Virgin Money, Tesco Bank and multiple other banks had to suspend the currency exchange services due to Travelex malware issues

Even though the official Travelex.com site is in full operational order, the staff is unable to perform any type of online transactions via the website or the application, as per Twitter post. The company was forced into manual operations, serving customers via the branches in airports and other locations across the UK and other countries.

The malware incident affected not only the core business of the company, but also major banks of the UK, such as Barclays, Tesco Bank, HSBC, and many others.^[3] Banks notified the customers that they are unable to accept online ordering of travel money, and they would have to visit branches to do so, citing the partner's Travelex issues.

While the statement indicated that the service should be back online as soon as possible, no particular date or time was provided. Travelex said that it deployed IT specialists, as well as third-party forensic experts, to investigate the malware attack.

Ransomware suspected

Many users were clearly dissatisfied with the situation – lack of information about the incident beyond the general statement in particular. Some customers claimed to be stranded overseas due to the incident, unable to access their funds. Additionally, many were also unsure about the personal information that is stored within the company, as multiple data breaches that affected industry giants like Equifax^[4] or Marriott^[5] served as a warning to customers.

A security researcher from the UK Kevin Beaumont discovered that Travelex does not use Network Level Authentication (NLA) for its AWS platform Windows servers, as well publicly exposed Remote Desktop services (RDP).^[6] RDP has been one of the major ransomware attack vectors, allowing the malicious actors to manually access systems remotely by using compromised credentials, disable anti-malware, and inject the malicious payload. Unfortunately, even after so many ransomware incidents in 2019, Beaumont says that absence of NLA protection and even BlueKeep patches are still a common occurrence:

It’s really common still, if you look at it over 250k boxes have both NLA disabled and haven’t been patched for BlueKeep (so at least on or before May 2019).

According to some sources,^[7] a company insider told that the culprit is indeed ransomware and that it managed to compromise multiple sensitive files located on the internal servers.