Cyber attackers have found an inventive new way to rip off retailers and others, a digital security firm says.

An investigation by researchers at security vendor CyberInt Technologies Ltd. say they have connected a single group of hackers—known as TA505—to a range of attacks against retailers and financial institutions around the world. The hackers conduct their attacks by using legitimate remote-access software and innocent-looking files attached to “spear-phishing” emails.

Unlike ordinary phishing—which refers to any attempt to trick victims into sharing sensitive information with online attackers—spear-phishing attackers modify their emails to address specific targets. To do that, the attackers can gather as much information as possible about their victims to make the emails appear to come from familiar, reputable sources. A malicious email attachment might, for example, look like a legitimate invoice from a company with which the target is already familiar.

Hacking tactics of TA505

In its recent attacks, the group has used the same tactics, techniques and procedures, including the nefarious use of an off-the-shelf commercial remote administration tool called Remote Manipulator System (RMS), to gain access to targeted computers. Because it is legitimate software, RMS—developed by Russian-based company TektonIT—it is virtually undetectable by traditional threat-protection systems, according to the report.

“The bad guys are evolving to keep on top of their game,” says Jason Hill, lead cybersecurity researcher at CyberInt, which released a report about the attacks. While the attackers use the “tried-and-true” method of spreading malware via email attachments, the attacks are harder to detect than ever before, he says.

Because CyberInt’s researchers do not penetrate the networks of the attacked companies, it is hard to determine if any of the attacks were successful, Hill says. The firm was able to only to identify the targets and in which countries the attacks occurred. “Our observations included targeted victims in Chile, India, Italy, Malawi, Pakistan and South Korea and potential victims in China, Great Britain, France and the United States,” Hill says. Other groups, in addition to TA505, could be using the same techniques, he says.

Inside the United States, the attackers have focused on the retail and hospitality sectors, with an emphasis on large targets, such as popular retail chains, Hill says. In other counties, the hackers have targeted the financial industry.

“Based on our observations, large retail chains were being targeted including a popular U.S.-based department store chain as well as U.S.-based restaurants and grocery store chains,” Hill says. The hacking group targets chains rather than smaller retailers, which indicates they are seeking substantial financial gains, he says. CyberInt declined to name any affected retailers.

The members of TA505 are thought to be native Russian speakers, based on CyberInt’s analysis of their code.

Here is how the scheme works: The hacking group targets employees with emails that appear to originate from third-parties that would be familiar to the employee. To get the employee’s attention, TA505 makes its emails seem essential and time-sensitive.

“These lures include text that stresses a level of urgency and encourages the recipient to open the Microsoft Excel or Word attachment that subsequently deploys the malicious payload to install the remote-access trojan,” Hill says. Once that is done, it gains access to the victim’s computer, which can then be used for nefarious purposes remotely to interact with applications, perform reconnaissance or steal data.

“Details of the actual impact would only be known to those targeted although, as of yet, no details have been disclosed by the victims identified,” Hill says.

TA505 has been active since 2014 when it began high-volume malicious email campaigns, including the distribution of trojans—a type of malware hackers often disguise as legitimate software—aimed at the banking sector and other kinds of malware. TA505 also has used “exploit kits”—which use compromised websites to divert web traffic, scan for vulnerable browser-based applications and run malware—and ransomware. Ransomware is designed to deny access to a computer system or set of data until the victim pays a ransom.

How to guard against security threats

Avoiding the threats from groups like TA505 requires a combination of security software and communication inside a company, Hill says.

“In addition to maintaining adequate email security controls to reduce malicious content from being delivered to mailboxes, retailers should ensure that their employees receive regular security-awareness training, and consideration should be given to attack simulations to test their preparedness,” Hill says.

Also, employees should always heed the warnings given by their applications and should never allow attackers to lure them into disabling security controls or enabling unsafe features (such as “macros”), Hill says.

Companies should empower employees to question the authenticity of emails before acting on them. For example, workers should feel free to call a business associate to confirm an email’s content before making a payment or opening a suspicious attachment. This kind of empowerment is important, Hill says, because nefarious emails are not always easy to spot.

“While many email threats may have the tell-tale signs of poor grammar or are sent from random email addresses, today’s organized cybercriminals are crafting lures that appear to originate from your business partners or colleagues that will appear convincing to all but the well-trained eye,” Hill says.

Some retailers might already have malware on their systems without knowing about it, Hill says. CyberInt’s report includes “indicators of compromise” that describes ways to identify malicious software—things like configuration settings or hash codes, which are used to identify and classify data.