Spear Phishing: War Stories From the Front
Monday July 30, 2018
Electronically speaking, we live in dangerous times. It is a quickly changing arena where cyber-security systems are adapting new protective techniques just as fast as the criminals are coming up with new approaches around them. Not surprisingly, the human element is often the weakest link in a firm’s defenses. The entire area of phishing, and more pointedly, spear phishing, counts on this.
To recap, phishing is a broad class of emails where a cybercriminal tries to trick you into clicking on a link – a link that usually downloads malware on to your computer or attempts to get your username/password. They are usually sent in mass without much info on who they are sending too. Spear phishing, on the other hand, is targeted at a specific person, crafted to appear to be from someone the recipient knows, often with personal information about the recipient and the person the phisher is impersonating. Right alongside ransomware, phishing is a big money making business for organized crime.
There are also many varieties of Spear Phishing. The simplest form maybe the example where someone impersonating your boss, sends you a message that says something like:
Please see the attachment concerning what we recently discussed.
That’s it. Simple and to the point. The scary thing is that in tests, up to 50% of the recipients would click on the link. Of course, the attachment will download malware or try to get your password. It does require some special knowledge of you (you and your boss), but that is often relatively easy to find.
When the honeypot is bigger, criminals will put a lot more effort into tricking you. Below are two of the more extreme examples we have seen; but they are by no means unique. Some of the specific facts have been changes to mask any association; but the substance is the same.
War Story #1:
This company dealt in high value transactions, under extremely tight time pressures. As such, this type of business is a key target for Spear Phishing because people under stress and time pressure are often working on a more emotional plane and brief lapses in judgement can have large consequences.
In this case, the phisher had hacked the email account of one of the intermediate agents, and they were able to watch the email exchanges going back and forth so they knew the people who were involved and the specific dates and times things were going to happen. Sensing a score, the phisher did a number of unusual things. They registered a domain name that was almost indistinguishable from the company, with a 1 substituting for an l. They also setup email service on Microsoft 365 for this domain so it looked legitimate. But the most unusual is that they also setup a phone number in the same area code as the person they were trying to impersonate.
When transaction time came, they started sending frantic emails saying that they had just made emergency changes to their banking, and to send the money to their new bank account. As the hour drew close, the emails increased in frequency asking for confirmation that they had received the email and reassurance that the money would be sent to the new account, or if it had already been sent. The transition agent, working under an impending deadline, called the number in the signature block on the email to confirm the instructions. The phisher answered the call and “verified” that the email instructions were correct. Thinking he had done all the checks, and with time closing in, in the heat of the moment, the agent sent the money as instructed.
However, almost as soon as it was sent, the agent started questioning the transaction. Ironically, one of the odd things was the low amount requested – normally the values were much higher – if the phisher had added a 0 to the end, it may not have aroused as much suspicion. The agent then started to think back and realized he had not followed the protocol to contact the phone number in the original paperwork, and so initiated an incident response.
Luckily, the bank was able to catch the transaction in mid-stream next morning before the phisher was able to move it offshore. Nevertheless, several people lost a lot of sleep that night.
War Story #2:
This company had a CEO that was frequently globetrotting to make deals. She received an email stating that to view a document she needed to open the attachment. Expecting a document from an outside party, she went ahead and clicked on the link that then prompted her enter her email password “to get full access to the document”. She did so, and then was presented with a document. Although it was not the document she was expecting, the flow seemed right to her, so she did not report it as an incident.
However, in reality, she had just given her email password to a cybercriminal.
Rather than making immediate use of the account, the cybercriminal started monitoring the email flows to understand the people and roles the CEO emailed. After a while, the cybercriminal setup rules in the CEO’s mailbox so that email between her and the CFO would go to a temporary folder. The cybercriminal could then forward on what communications he wanted them to see, and delete what he didn’t.
Waiting for an opportunity, the cybercriminal saw one when the CEO was leaving from a financing meeting in London. As the CEO was leaving for another destination, the cybercriminal – using the CEO’s email account – sent a very casual email to the CFO asking what was needed to send a wire to London. Over the next couple days, some seemingly innocent emails went back and forth between them. Of course, since the cybercriminal was intercepting the emails, the CEO never saw any of the CFO’s responses and was unaware of the entire chain. The cybercriminal then went into phishing mode, and, just as casually as before, sent a request to wire funds to a London bank account, with all the wire instructions.
Luckily, the CFO followed his protocols to always call and confirm any email instructions to transfer material funds. Of course, the CEO knew nothing about the request so the money was never transferred. The discovery also initiated a Security Incident so the intrusion was found and terminated. But the cybercriminal had put time and effort into “befriending” the CFO and building up a rapport about the subject, and if they had not had to protocol to verify email requests, this could have been a significant loss for the company.
We all need to be vigilant in looking for and being on the alert for phishing attacks that speak to our emotions or familiarities. Take heighted caution to not enter a password from an email link or document unless you specifically know that it is legitimate; or better yet, ask you IT administrator to implement Multi-factor authentication on critical accounts. Also, never take any email direction to transfer significant funds or make large payments without verifying the request. If we are all disciplined in doing so, we might make a lot of cybercriminals look for a different line of work.