Cybercriminals Calling Customer Service Reps to Convince them to Open Infected Email Attachments

Training employees not to open file attachments send from unknown email accounts can help to prevent malware and ransomware infections. However, a well known cybercriminal gang is increasing the number of infections by calling hotel and restaurant employees and asking them to open emails with infected attachments.

Trustwave has recently issued a warning to hotel and restaurant chains advising them to be wary of the scam. The gang behind the campaign are calling customer service representatives and are pretending to be clients who are having difficulty making reservations using the online booking function on the company’s website.

The attackers tell the representative that they have sent the details needed for the reservation in a Word document attached to an email. The scammer remains on the line until the target opens the email attachment and infects their machine. The email contains a malicious Word document that if opened will download malware that can record credit card numbers from point-of-sale machines. The malware downloaded to the machines is an information stealer that can record email addresses and passwords and is also capable of taking screenshots and scanning the network to identify other targets.

While scams such as these have been conducted in the past, in this case the operation appears to be slick. The callers use perfect English and the company and the individual being targeted have been extensively researched on social media sites such as LinkedIn. According to Trustwave, the scammers build trust by dropping a few names – such as department heads – that have been found online.

The attackers are believed to be part of the Carbanak gang. The gang was responsible for large-scale attacks last year which resulted in the theft of more than $1 billion from various banks around the world.

The malware used in this campaign is sophisticated and difficult to detect. Antivirus software does not appear to detect the malware allowing it to remain active on the infected machines for a considerable amount of time. Once installed, the malware is capable of stealing huge volumes of data, including all credit card details used to pay for goods and services via POS systems.  According to Trustwave’s global director of incident response Brian Hussey, “For a large restaurant chain, that can be a million customers over a period of time.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of