Three Ukranian nationals have been arrested in connection with a lengthy hacking campaign that targeted more than 100 American businesses, including the theft of credit card information from
Chili’s,
Arby’s, and
Chipotle. According to the indictment, the group stole more than 15 million credit card records from more than 6,500 point-of-sale terminals over the course of the campaign.
Known to security researchers as
the Carbanak group, the group used social engineering and phishing attacks to infiltrate businesses and steal financial data. The initial infection typically came from malware included as an email attachment, sometimes presented as a lost hotel reservation or an SEC complaint.
In one incident, the group masqueraded as the FDA’s Center for Food Safety and Applied Nutrition, informing the business of a food poisoning incident. (Chipotle has
struggled with food safety issues, although it’s unclear if they were the target of the spoofed FDA email.) “You can find attached the list of inspections and checks scheduled to take place at your restaurant,” the email read. In fact, the attachment contained malware.
