This malware attack starts with a fake customer-service call

The hackers call hotels, then send email attachments that look like customer information

Hotel and restaurant chains, beware. A notorious cybercriminal gang is tricking businesses into installing malware by calling their customer services representatives and convincing them to open malicious email attachments.

The culprits in these hacks, which are designed to steal customers’ credit card numbers, appear to be the Carbanak gang, a group that was blamed last year for stealing as much as $1 billion from various banks.

On Monday, security firm Trustwave said that three of its clients in the past month had encountered malware built with coding found in previous Carbanak attacks.

This particular campaign has been preying on the hospitality industry, said Brian Hussey, Trustwave’s global director of incident response. The hackers start by calling a business’s customer service line and pretending to be clients who can’t access the online reservation system.

To spread the malware, the hackers also send an email to the customer service agent with an attached word document purportedly containing their reservation information. In reality, this document is designed to download malware to the computer.

The hackers are very persistent, Hussey said. “They’ll stay on the line with the customer service rep until they open up the attachment,” he said. “They have excellent English.”

The hackers can also be very convincing. They appear to be researching their targets on business networking site LinkedIn and finding out the names of company department heads.  “During the call, they’ll do some name-dropping to establish credibility,” Hussey said.

Once the malware is installed, it can download other malicious tools to tamper with the rest of a business’s network. The goal of the attack is to record credit card numbers from point-of-sale machines or e-commerce payment processes, according to Hussey.

In recent years, retailers, restaurants and hotels all have been hit by similar attacks intended to steal payment card data. The malware in this case is more broad-reaching than most. It includes the ability to snap screenshots from the desktop, steal passwords and email addresses and scan a network for valuable targets.

Most, if not all, antivirus engines have failed to detect the malware used in these hacks, according to Trustwave. 

"We've talked to our law enforcement contacts, and they are seeing the same thing," Hussey said. 

In a blog post, TrustWave outlined the technical details of the malware and other indicators that businesses can use to determine if they’ve been compromised.

“Once this malware finds what it wants, it can steal every single credit card that passes through your servers,” Hussey said. “For a large restaurant chain, that can be a million customers over a period of time.”

Join the Computerworld New Zealand newsletter!

Error: Please check your email address.

More about Trustwave

Show Comments
[]