The infamous Carbanak (Anunak) group is employing a new social engineering trick to fool customer support representatives into installing malware on their systems, and hence, provide the crooks with a backdoor into targeted companies.
Over the past month, security firm Trustwave says that three of its customers were targeted in the same way by the Carbanak gang, which is mostly known for stealing over $1 billion from Russian banks.
This time around, the crooks targeted two companies in the hospitality field and a restaurant chain.
Trustwave says that the group has devised a clever trick to attack its targets. Crooks call customer support representatives and claim they can't access one of the company's apps, such as the reservations system.
Instead, the crooks, masquerading as a potential customer, offer to send a Word document with the reservation details to the customer support representative.
To make sure their target opens the document, the crooks stay on the phone with the victim until the malware takes root, and they can see it pinging back to their servers.
Trustwave says that the infected Word document contains malicious Visual Basic scripts that download malware on the victim's computer.
This malware was undetectable at the time of Trustwave's analysis, and during their investigation, crooks released new versions in order to stay ahead of security researchers.
This is not surprising. The Carbanak gang is known as the most advanced cybercrime syndicate to date. Besides robbing Russian banks en-masse in 2014 and 2015, the Carbanak gang is also the main suspect behind the security breach at Oracle MICROS, a point-of-sale (POS) payments processing service.
Once the Carbanak has a foothold inside an enterprise, through the computer of its customer support rep, the group uses the initial malware to download more potent threats.
These second-stage tools are used to take control of the victim's PC, scan the company's network, and spread to new computers, stealing the information they were after.
In these most recent infections, the group was most likely after credit card information, which they could get their hands on by infecting their targets' POS systems.
Trustwave suspects that besides its three clients, many other companies are targeted through the same social engineering tactics.