The malware deliberately targets ‘happy to help' customer services people who may be more susceptible to its phishing emails. Carbon Grabber was first spotted by Symantec earlier this month.
In a recent blog post, the company's threat intelligence officer Lionel Payet said 7 percent of the victims have been from the UK, 38 percent from Germany, 31 percent from Holland and around a quarter are from Italy.
Nearly half these victims are automobile companies, with 13 percent in public services, while others come from the charity, finance, energy, research, telecoms and tourism sectors. The Carbon Grabber criminals send a phishing email to the customer service departments of these companies, claiming to be from a fake German company called Technik Automobile GMBH, offering to buy any used cars, and attaching a list of urgently required vehicles which when opened drops the Carbon Grabber malware (also known as Infostealer.Retgate) .
Payet noted: “Customer service departments are often granted a great deal of access within a company as they are required to perform a multitude of administrative and financial tasks on a daily basis.”
Analysing the threat, Mark Osborn, senior consultant at UK-based MWR InfoSecurity, also said that targeting customer services people is a clever move.
“Carbon Grabber performs a classic man-in-the-browser (MitB) attack,” he told SCMagazineUK.com by email. “It seems that the criminals are having particular success with this malware as a result of their social engineering approach, which wins on two fronts: firstly they are targeting companies with extensive supply chains and large numbers of suppliers. And second, they target an extremely vulnerable population - the customer service department – a team of ‘happy to help' people who are quite likely to open an attachment if it appears to be relevant to their organisation.”
Payet said the Carbon Grabber crimeware kit first appeared on underground forums in May and is actively being used in the wild by more than one group.
It injects code into Microsoft Outlook, Internet Explorer, Google Chrome and Mozilla Firefox processes on the infected computer, then steals the user's Outlook name and password, and information relating to online processes such as online banking or internal web applications.
Asked about the British victims, Payet told us: “In general the affected UK customers are related to the automotive sector, including online service providers for the second-hand market, utility vehicles sellers amongst others.”
He added: “Carbon Grabber has a number of features which facilitate the theft of user name and password from online forms, which is known as ‘form grabbing'. This is where the ‘grabber' part of the name comes from.”
Analysing its methods, Lancope CTO TK Keanini highlighted the fact that Carbon Grabber is aimed at supply chain companies: “It does appear that more complicated supply chains are being compromised more these days,” he told SC via email. “It could be that the complexity of securing that supply chain makes it easier for the attackers to find an access vector and from there grow their operations. Once in, they no longer set off security alarms and they can go about their business.”
In his blog, Payet said: “It is yet to be confirmed if the criminals behind the Technik Automobile spam campaign are purely financially motivated. One thing we know for sure is that if the attack is successful, the cyber criminals will have a foothold in the victim's business.
“They would have the capability to send emails from the compromised Outlook account and to monitor for credentials entered into browsers.”
He said Symantec is continuing to monitor the crimeware as further activity may follow.
MWR's Osborn confirmed: “Standard defensive advice applies here: maintain up-to-date software, restrict user privileges wherever possible and educate users about the risks of attachments to unsolicited emails.”