The risk of malware and ransomware infections can be reduced by training staff to avoid opening file attachments received from unfamiliar email accounts. Despite this being common practice, a well known cybercriminal group has recently been increasing the number of infections by telephoning hotels and restaurants to ask staff to open emails with infected attachments.
Trustwave has advised hotel and restaurant chains to be on the lookout for the deception. The group responsible for the campaign are telephoning customer service reps and are pretending to be clients who are experiencing problems while attempting to make online reservations via the target company’s website.
The attackers inform the company representative that they have sent the information required for the booking to them via a Microsoft Word document attached to an email. The rogue caller remains on the line until the representative opens the said email attachment which then infects the computer. The email includes a malicious Word document that downloads malware if opened. The malware concerned has the ability to record credit card numbers from point-of-sale machines. The said malware is an information thief that records email addresses and passwords and also has the capability to take screenshots and scan the network in order to identify other targets.
Although cons such as these have been carried out previously, in this case the operation appears to be particularly professional. The callers speak English perfectly and the companies and individuals targeted appear to have been researched in detail on social media sites like LinkedIn beforehand. Trustwave warn that the scammers typically attempt to develop trust with the rep by dropping names of notable employees of the company, e.g. department heads, that they have simply found online.
It is thought that the attackers are members of the Carbanak gang. This gang was responsible for extensive attacks in 2015 which accounted for the theft of over $1 billion from numerous banks across the globe.
The particular form of malware which is being used by the attackers in this campaign is said sophisticated and hard to detect. Antivirus software appears to be unable to detect the malware which allows it to stay active on the infected machines for a significant period of time. After it has been installed, the malware has the ability to steal massive quantities of data, such as the credit card details used in POS system payments. Trustwave’s world-wide director of incident response Brian Hussey has warned that for a large restaurant chain, such an attack may effect up to a million of their customers.