HackDig : Dig high-quality web security articles for hacker

The Carbanak gang is now targeting the healthcare industry

2016-11-16 22:15

The notorious Carbanak cybercrime gang is now changing strategy and it is targeting the hospitality and restaurant industries.

It’s not a mystery, the healthcare industry is a privileged target for cyber criminals, medical records are a precious commodity in the criminal underground.

The healthcare industry was the number one target for cyber criminals in 2015, according to a research conducted by IBM the banking industry held the top position.

In 2015, more than 100 million healthcare records were compromised, according to IBM’s “2016 Cyber Security Intelligence Index.” It is based on data collected between January 1, 2015 and December 13, 2015 and from more than 8,000 client devices in over 100 countries.

The Independent reports that “five of the eight largest healthcare security breaches since the beginning of 2010, with more than one million records compromised, took place during the first six months of 2015.”

Healthcare records are a veritable jackpot for cybercriminals, providing them access to credit card data, Social Security numbers, employment information and medical history records. These can be used in the commission of fraud and identity theft.

A recent discovery confirms the high interest of largest criminal organizations in the healthcare industry.

The notorious Carbanak cybercrime gang that allegedly stole $1 billion from financial institutions worldwide is now changing strategy and target and it is targeting the hospitality and restaurant industries.

“In the last month Trustwave was engaged by two separate hospitality clients, and one restaurant chain for investigations by an unknown attacker or attackers. The modus operandi for all three investigations were very similar and appear to be a new Carbanak gang attack methodology, focused on the hospitality industry. ” reported Trustwave.

According to security experts at Trustwave, the Carbanak gang in the last week started adopting new techniques and malware. The hackers launched a spear-phishing campaign on people in the industry in the attempt to trick victims into reading emails with malicious macro-laced documents.

In the attacks observed by the security firm, the attacker called the customer contact line saying that they are facing problems using their online services and requested to send their information to the agent via email. The attacker stayed on the line until the agent opened the attachment contained in the email, then he hung up when the victims have opened the malicious message.

“The email attachment was a malicious Word Document that contained an encoded .VBS script capable of stealing system information, desktop screenshots, and to download additional malware.”reads the analysis of the Carbanak attack. “The malicious VB Script will use macros to search for instances of Microsoft Word running on the system, if found, it will clear the existing text and replace it with the following text.”


The hackers first download a malware used as a reconnaissance tool in a first stage of the attack, it is able to download popular hacking tools, including Nmap, FreeRDP, NCat and NPing.

Later it also downloads additional payloads that allow to carry on the next stage of the attack.

The final target is to steal sensitive information and credit card data scraped from the memory of the infected machines, including point-of-sale systems with a recompiled version of the Carbanak malware that is hard to detect.

“This malware may steal credit card data, as well as screen captures, keylogger information, email addresses from the PST file, enable RDP or VNC sessions, or to obtain additional system information.”

This malware establishes a backdoor on the victim’s machine in order to gain full control on it. It communicates via an encrypted tunnel on port 443 with the following IP addresses:


All exfiltrated information is encrypted with base64+RC2 and sent via HTTP POST messages.

The new campaign started about six weeks ago, Trustwave also published a list of fresh IoCs (indicators of compromise) that could help administrators and security experts to detect the threat.

“the persistence, professionalism, and pervasiveness of this campaign is at a level rarely seen by Trustwave. The malware used is very multifaceted and still not caught by most (if any) antivirus engines. The social engineering is highly targeted, conducted via direct phone calls by threat actors with excellent English skills. The network reconnaissance and lateral movement is rapid and highly effective. Finally, the data exfiltration methodology is stealthy and efficient.” reads the conclusion of the Trustwave report.

The fact that a criminal gang like Carbanak is changing tactic targeting the healthcare industry represent a clear indicator of the profitability of the industry for crooks.

According to an article on fastcompany.com’s website, complete medical records are selling for US$60 a piece on the dark web compared to stolen credit card selling for about US$3 bucks a piece on the high end.

According to the Brookings Institute, since 2009, the medical information of more than 155 million have been potentially exposed through nearly 1,500 breach incidents.

Edited by Pierluigi Paganini

(Security Affairs – Healthcare Industry, cybersecurity)

The post The Carbanak gang is now targeting the healthcare industry appeared first on Security Affairs.

Source: lmth.kanabrac/swen-gnikaerb/68435/sserpdrow/oc.sriaffaytiruces

Read:7561 | Comments:0 | Tags:Breaking News Cyber Crime Carbanak Cybercrime Hackers Health

“The Carbanak gang is now targeting the healthcare industry”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud