The Carbanak gang – a cybercrime group infamous for allegedly exfiltrating $1 billion from financial institutions around the world – has recently been spotted targeting businesses in the hospitality sector, including hotels and restaurants.
According to cybersecurity firm Trustwave, it investigated three separate incidents in the last month in which customers had been infected with a variant of the Carbanak malware.
Researchers found the crime group appears to have adopted a new attack methodology involving highly targeted social engineering.
“An attacker called the customer contact line saying that they were unable to use the online reservation system and requested to send their information to the agent via email,” explained Brian Hussey, Trustwave’s director of global incident readiness and response.
“The attacker stayed on the line until the agent opened the attachment contained in the email and hung up when his attack was confirmed successful,” Hussey added.
Researchers noted the email attachment was a malicious Word document with an encoded .VBS script, capable of stealing system information and desktop screenshots, as well as downloading additional malware.
Ultimately, the malware is designed to scrape memory on Point-of-Sale (PoS) systems to extract credit card data. However, Hussey noted the “persistence, professionalism, and pervasiveness” of this particular campaign is at a level rarely seen.
“The malware used is very multifaceted and still not caught by most (if any) antivirus engines,” wrote Hussey in a detailed blog post published earlier this week.
Furthermore, Hussey called the network reconnaissance and lateral movement “rapid and effective,” and described the data exfiltration methodology as “stealthy and efficient.”
“Carbanak is one of the most sophisticated threat actors in the cybercrime realm today and this report details a very active campaign currently being leveraged against hospitality and restaurant industries (and probably others),” he concluded.
For more information, read Trustwave’s full report here.