Hospitality workers are being advised to remain vigilant with a crafty new form of cyber attack affecting businesses worldwide.
Unlike common malware and phishing attacks, this particular attack involves what cyber security experts call “social engineering”. This is where criminals use publicly available details of individuals and businesses to impose a sense of legitimacy in their attacks.
Security firm Trustwave, which was alerted to the scam by two separate hospitality businesses and one restaurant, uncovered the attack.
Read more: What you need to know about Australia’s three most common cyber threats
Cyber criminals posing as customers have been calling customer contact lines stating that they have been unable to use online reservation booking systems. They then asked to send the booking details to the business via email.
In cases so far, the attackers stayed on the line while the workers opened up the email, which had a malicious Word document file attached. Once the worker opened the file and the hack was confirmed, the criminal hung up the line.
The attack is rumoured to be undertaken by suspected Russian and Ukraine cyber criminal gang Carbanak, who allegedly stole $1 billion from banks between 2013-2015.
The Word document contained an encoded Visual Basic script that was ran through the programs “macro” capability, which allows automation of Word functionalities.
Once it had been run, the script grabbed system information, desktop screenshots, and had the capability to download additional malware. It is believed that the intention of the hack was to steal customer’s credit card details and other credentials.
Global director of incident response at Trustwave Brian Hussey told IDG that the criminals were using details found from LinkedIn to increase the perceived legitimacy of the call.
“During the call, they’ll do some name-dropping to establish credibility. They’ll stay on the line with the customer service rep until they open up the attachment,” Hussey told IDG.
“They have excellent English.”
Hussey also reports that the majority of antivirus software is failing to detect the malware contained in the attacks.
The dangers of email attachments
Cyber security expert at Sense of Security Michael McKinnon tells SmartCompany that using LinkedIn was a “classic” social engineering tool allowing criminals to find out the amount of employees and the names of main executives.
McKinnon warns that these attacks come back to the dangers of email attachments, and calls for more common sense when it comes to requests like these.
“In this instance, why did there need to be an attachment in the first place? Booking details could be sent via text message or over plaintext in an email,” McKinnon says.
“There has to be some common sense that prevails somewhere along the line.”
“It all comes back to the dangers of email attachments which we should all be aware of, regardless of the circumstances.
However, these criminals are subverting common advice about opening unexpected attachments by creating an expectation that an attachment will be sent, says McKinnon.
In these situations, McKinnon believes that the common adage of “the customer is always right” must go out the window.
“Often in a retail and hospitality setting, believing that the customer is always being right creates some conditions where businesses can become vulnerable,” he says.
“Businesses often have a bias towards customers, but they need to eliminate that bias when security is at risk.”
When dealing with malicious Word documents, McKinnon says there is an easy way to avoid malware and viruses.
“To be infected through a Word document, it needs to have macros enabled, which means the worker will have to click on an alert that confirms the enabling of macros in this document,” he says.
“If you don’t enable them, no scripts can run.”
Trustwave has revealed the details of the malicious files on its website, but also notes that Carbanak is rapidly updating the malware.
“Just during the time that it took to write this blog, Carbanak returned to their victims with significantly upgraded malware. This demonstrates the speed and versatility of this threat group,” the post reads.