A New Social Engineering Cyber Attack is On the Rise: The Backdoor Merchant

Backdoor Merchant uses personal phishing tactics to deploy ransomware at the company level

In the past few weeks, we’ve seen several organizations fall victim to a new, sophisticated type of cyber attack that begins as a personal phishing attempt and grows into a full-fledged ransomware infection for a corporation. We’re calling this new type of attack, the Backdoor Merchant. 

We wanted to make you aware of the details of this attack so that you and your organization can be on the lookout for this kind of suspicious activity. Since it starts on personal accounts, it is imperative that your guard be up at all times and that cyber education is made a priority in your organization.

The following is the breakdown of steps the hackers take in the Backdoor Merchant attack to gain access to a system and in the end, encrypt the data:

    1. Using a standard Merchant ID, hackers will post a transaction charge to a personal credit card that has been stolen. The charge will sit as “pending” for the bank.
    2. Either the credit card owner notices the charge, or the bank notifies them of fraud. However, since the charge is pending, the bank may tell the cardholder that will have to contact the vendor directly to resolve the charge.
    3. The cardholder contacts the vendor and the vendor apologizes and sends an email with a link to a form to submit a claim to remove the charge. 
    4. The email link downloads a Trojan file to the cardholder’s computer. The file contains malware that establishes a command and control (C2) connection to the attacker’s server. 
    5. Once the connection is established, the attacker, posing as the vendor, confirms the mistaken charge and informs the cardholder that no further action is required.
    6. The hacker uses the C2 connection to send another payload to the victim’s computer to scrape passwords from memory and perform a network scan to see what other networked devices the computer can get access to.
      1. They will search for any valuable data and begin exfiltrating what data they can.
    7. At a later date, a third payload is then sent that starts to encrypt the data. This ransomware (a CONTI variant of ransomware) spreads to everything it can see on the network using compromised domain credentials.
      1. A ransom note file is dropped onto the infected computer.
    8. The attackers reach out soon after via phone call to one or more of the end-users of an infected machine, threatening to release large amounts of data if the ransom is not paid.


If you see unfamiliar or suspicious charges to your credit card, contact your bank directly immediately. Do not navigate to your bank through links in emails, or call phone numbers listed in emails. Navigate directly to your bank’s website and call them.

If a fraudulent charge is posted and processed on your credit card, your bank will be able to cancel it and help you take the necessary steps. If there is a pending charge that hasn’t been fully processed, the bank won’t be able to do anything. If this is the case, you do not need to take any action either! Wait until the charge is fully processed and then the bank will be able to fight on your behalf and make the necessary cancelations. Typically, if a charge sits on your card without posting for more than 5 days, it will be automatically removed.

DO NOT attempt to contact the vendor – especially if it is an unfamiliar merchant.

As with any cyber situation, it is recommended that you update your passwords (using different passwords for each account), and enable multi-factor authentication on all of your accounts.

It’s also important to examine your overall digital security for your personal accounts and for your business. We encourage all businesses to make cybersecurity a priority. Executech can help you build your security capabilities to defend your networks, systems, and people with a layered security approach in case something like this slips through the cracks.

Contact us today if you have questions, concerns, or need help with your cybersecurity.


The attack is ongoing. Updates and details will be posted as we discover more information.

To learn more about protecting you and your business from cybersecurity threats, check out our Ultimate Guide To Cybersecurity!

The Ultimate Guide To Cybersecurity

Related Insights