Trustwave Global Director of Incident Response & Readiness Brian Hussey said the professionalism of the attack vector and the versatility of the malware are unusual among POS attacks.
Trustwave Global Director of Incident Response & Readiness Brian Hussey said the professionalism of the attack vector and the versatility of the malware are unusual among POS attacks.

Trustwave researchers spotted the Carbanak cybergang using a new socially engineered trick to spread point-of-sale (POS) malware to businesses in the hospitality industry.

At least three firms have been targeted in a scam in which an attacker calls the firm's customer service contact line claiming that they were unable to confirm a reservation while requesting to send their information, which is actually a malicious document, via email, Trustwave Global Director of Incident Response & Readiness Brian Hussey wrote in a Nov. 14 blog post.

He told SC Media that the professionalism of the attack vector and the versatility of the malware are unusual among POS attacks.

“The attackers called reservation lines directly, they had excellent English and well-developed back stories,” Hussey said. “They would spend significant time coercing the call center personnel into opening the attached malicious word document, which lead to the subsequent network infection.”

He went on to say that the POS malware is generally pretty simple and although it may use evasion techniques or basic encryption it usually targets card data and that's it.

The malware is unique because it is able to hide itself via process injection into svchost, kills  antivirus, escalates privileges, interrogates email, enables remote desktop, opens VNC or AMMYY sessions, targets IFOBS banking systems, provides full service backdoor functionality, and finally, steals credit card data from memory, Hussey said.

The malware is sent in a in a Microsoft Word document that contains an encoded .VBS script. It is capable of stealing system information, desktop screenshots, and of download additional malware and will use macros to search for instances of Microsoft Word running on the system.

Hussey said the malware is also capable of downloading of downloading additional tools for reconnaissance and to map out the victims' networks.

Despite the malware's abilities, he said that humans are often the weakest link when it comes to security.

“The attackers are still reliant on social engineering to get their initial foothold, humans so often are the weakest link in the security chain, so user education is key,” he said. “Disabling macros for the Word Doc attack vector would also be a big benefit.”

It's unclear how many victims have been targeted however, Hussey said the campaign is extremely widespread and highly successful.