Sophisticated social engineering attacks target hotel chains
In the run up to one of the hospitality industry's busiest periods, cyber criminals are targeting hotel chains with a series of targeted attacks.
Cyber security company Trustwave has investigated the attacks, which combine social engineering with sophisticated malware, against a number of its clients in the past month.
Believed to originate from the prolific Carbanak crime group, the attacks start with a phone call to customer services staff claiming to be having trouble making an online booking and asking permission to email a document containing travel details.
The attackers are careful to research their targets beforehand so that they're able to drop the names of people working in the hotel to give the call added authenticity. The Word document that is then sent as a result of the call is, of course, infected with a VBS script. When run it connects to a remote server and downloads a second tool disguised as an Adobe file. It then installs a persistence mechanism, performs reconnaissance to map the network and may even download more tools.
"We've seen five active cases with a very similar attack methodology," says Brian Hussey, global director of incident response and computer forensics at Trustwave. "They've all started with a call to the reservations line. This is very sophisticated malware and antivirus programs are still not finding it. The malware isn't just scraping credit card numbers, it can turn off anti virus tools, escalate its privileges, and it's also very stealthy in its traffic as stolen data is encrypted before being sent to command servers".
Carbanak is famous for stealing close to $1 billion from banks in Eastern Europe and Asia. This attack is focusing on point of sale and eCommerce servers and is spreading rapidly in the Far East and Europe. Hussey adds, "We know they're targeting credit card data but it's also likely that they’re setting back doors in networks to allow them to get back in easily and steal any information, such as email addresses that they can sell on".
You can find more technical details of the attack on the Trustwave blog.
Photo credit: Franck Boston/Shutterstock