To understand why Carbanak is one of the Internet’s most skilled and successful criminal groups, consider the recent spear-phishing campaign it used to infect computers in the hospitality and restaurant industries with malware that steals banking credentials.
One variation started with an e-mail threatening a lawsuit because a visitor got sick after eating at one of the company’s restaurants. To increase the chances the attached Microsoft Word document is opened, the attackers personally follow up with a phone call encouraging the recipient to open the booby-trapped file and click inside. The attacker calls back a half-hour later to check if the recipient has opened the document. The attacker immediately hangs up in the event the answer is yes.
Behind the scenes, macros embedded inside the Word document infect the employee’s computer with a trojan that surreptitiously takes screenshots and retrieves credit card data and other sensitive banking credentials. The trojan then attempts to infect other computers on the same network in an attempt to steal additional loot. And all because the attacker, who is halfway around the globe, made a compelling case that it was in the employee’s best interests to open the document and allow the embedded macro to run.
Over the past few years, booby-trapped Word documents have become one of the most common ways of spreading malware. They were used not just once, but twice to infect Ukraine’s powergrid with malware that caused power outages. Malicious Word macros spread espionage malware that siphoned 600 gigabytes of data from 70 targets.
A variation on that theme involved a Word zeroday used last month. It pushed both the Dridex banking malware and highly targeted espionage campaigns.
Many readers of these reports are quick to criticize the people who open these malicious files. What the critics often don’t understand is how convincing many of the messages are. As demonstrated by the recent Carbanak campaigns—which were documented in a blog post published last week by security firm Trustwave—the social engineering that goes into the best attacks isn’t something that will be detected by intuition or street smarts alone.
At a minimum, individuals and organizations should turn off Word macro support by default and enable it only after careful thought. An even better practice is to never open Word documents directly on a computer. Instead, use Google Docs or a similar cloud service. For organizations that can afford it, formal training isn’t a bad idea. Trustwave has additional tips in the blog post linked above.