To understand why Carbanak is one of the Internet’s most skilled and successful criminal groups, consider the recent spear-phishing campaign it used to infect computers in the hospitality and restaurant industries with malware that steals banking credentials.
One variation started with an e-mail threatening a lawsuit because a visitor got sick after eating at one of the company’s restaurants. To increase the chances the attached Microsoft Word document is opened, the attackers personally follow up with a phone call encouraging the recipient to open the booby-trapped file and click inside. The attacker calls back a half-hour later to check if the recipient has opened the document. The attacker immediately hangs up in the event the answer is yes.
Behind the scenes, macros embedded inside the Word document infect the employee’s computer with a trojan that surreptitiously takes screenshots and retrieves credit card data and other sensitive banking credentials. The trojan then attempts to infect other computers on the same network in an attempt to steal additional loot. And all because the attacker, who is halfway around the globe, made a compelling case that it was in the employee’s best interests to open the document and allow the embedded macro to run.