Share this article on:
Security researchers have spotted a new social engineering campaign targeting the online gambling industry, and aimed at inserting backdoors into support systems.
Ice Breaker — the name was chosen based on an upcoming industry expo, ICE London — seems to be a non-English speaking group and is actually using that to its advantage, even though it does somewhat compromise its own identity.
According to Israeli security company Security Joes, the operators have been taking advantage of the personal nature of support calls to deploy their payloads. Ice Breaker actors contact the online support chat of a company, claiming to have an issue registering with its services, such as an online casino.
Typical interactions involve actors requesting a non-English speaker to talk to, even though they still chat in broken English themselves.
“Based on the evidence collected by our team, it seems that all of the individuals carrying out the attacks are not English speakers, who intentionally choose to speak with non-native English customer service representatives, probably to reduce their chances of being detected as scams,” Security Joes researchers reported in a blog post.
Once asked what the problem is, the attackers offer to share an image of the issues they are having, but instead of pasting an image directly into the support chat, they share a link. This leads to either a fake screenshot hosting site or to Dropbox.
When the support operator clicks on the link, the next phase of the attack begins. The first payload runs, which contacts a distribution site, which in turn deploys the next, more malicious backdoor. Once that’s up and running, Ice Breaker operators now have a backdoor between their command and control infrastructure and the company’s support machines.
Victims are infected with one of two final payloads, depending on if they try to use the apparent screenshot hosting site or the Dropbox link: either the well-known VBS-based Houdini remote access Trojan via an LNK loader, or a new and not seen before MSI package that Security Joes is calling the Ice Breaker backdoor.
“The threat actor is distributing two different types of payloads to the victim during the conversation. According to the data we have, the LNK file is the primary payload, and it is the first one presented to the customer service agent,” Security Joes researchers said.
“The VBS file, on the other hand, is only shared as a backup option in case the agent is unable to open the first file.”
Once fully infected, the backdoors allow data to be exfiltrated, processes to be monitored, scripts to be run remotely, passwords retrieved, and much more.
“Social engineering, prior to sending malicious links to hide executables, is a clever tactic, as this threat actor was well aware of the fact that the customer service is human operated,” Security Joes said.
The fact that many companies in the gambling industry utilise third-party support services makes this attack method even more effective and highlights the need for any company’s support teams to be properly trained and experienced in handling such attacks.
The real identity and location of Ice Breaker remains unknown, but Security Joes’ investigations are ongoing.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.