This is a fascinating look at a pretty complex and coordinated hacking group, Fin7. They used a lot of the same tools that companies use for project management and remote collaboration, and they specifically targeted the types of employees who would be likely to expect emails from strangers, like this one:
“On or around March 27 of last year, an employee at a Red Robin Gourmet Burgers and Brews received an email from firstname.lastname@example.org. The note complained about a recent experience; it urged the recipient to open the attachment for further details. They did. Within days, Fin7 had mapped Red Robin’s internal network. Within a week, it had obtained a username and password for the restaurant’s point-of-sale software management tool. And inside of two weeks, a Fin7 member allegedly uploaded a file containing hundreds of usernames and passwords for 798 Red Robin locations, along with “network information, telephone communications, and locations of alarm panels within restaurants,” according to the DoJ.”
This is a tough situation. There are more stories in the article below about them attacking restaurants, hotels, caterers, etc. All appearing to be either complaints, or orders. Yes, we can tell people to never open attachments or trust emails from people they don’t know, but people who work with taking orders and fielding complaints in these types of businesses are constantly being contacted by people they don’t know. I suspect many of them have been told by their IT Security people not to open unexpected attachments, but I also suspect many of them would be in a lot more trouble for ignoring a customer complaint or missing out on an order because they ignored an email.
This puts them in a very tenuous situation. One that points out how limited end-user education is as a security plan. You need better tools in place than just that.