Business email compromise (BEC), spear phishing, and social engineering aren’t just buzz words that have gained popularity in the security industry. These tactics have recently been employed by cybercriminals to get around the plethora of security controls deployed to protect organizations. Account takeover has evolved from using malware to compromise credentials and remotely using the victim’s computer, to using social engineering schemes over email to fool legitimate users into performing wire transfers, such as the recent BEC attack on Ubiquiti that nearly cost the organization $46.7 million.
How often is spear phishing used? Ninety-one percent of targeted attacks use spear phishing and one out of five recipients click on the link which can lead to a download of malware, system compromise, a data breach, or compromise of email. Once penetration has occurred, the average time to discover a breach is 205 days.
Spear phishing attempts are often the first indicator that an organization is being targeted in the types of attacks that lead to incidents proven to have ruined companies and make for great front-page headlines. Quick detection of a potential compromise is critical to mitigating damage associated with targeted attacks.
Spear phishing tradecraft
Where phishing targets the assets of an individual, such as email accounts, online service subscriptions or funds in an online banking account, spear phishing is used in attacks that target the assets of an organization by compromising individuals based on their role in the organization and the assets to which they have access.
Unlike typical phishing attacks that impersonate a brand and use the strong brand identification among consumers to gain the confidence of a potential victim, spear phishing emails often impersonate the identity of an individual – a colleague, supervisor, co-worker or personal acquaintance. In cases where organizations or brands are impersonated, these are also based on the findings from the attacker's research and reconnaissance into business relationships, impersonating a professional organization, an industry conference, a regulatory body, or a vendor or supplier. Both the impersonated identity and the intended recipient are chosen carefully based on their organizational roles and operational relationships.
Spear phishing lures are carefully crafted according to the attacker's understanding of the target environment, even leveraging samples of leaked emails, common forms, and previous business correspondence. They often attempt to establish a "pretext" to convince the target that the lure is part of an existing conversation by, as an example, using "RE:" or "FWD:" in the subject line and quoted text in the email body. When impersonating an organization, the lures may reference a bogus event using wording like "In response to your feedback" or "As a former attendee." The goal is to establish some confidence in a contrived relationship and incite the recipient to take some sort of action required to compromise the individual, or a chain of individuals, until the attacker has gained access to the assets that comprise the goal of the attacker's mission.
These spear phishing lures are sent one at a time from a specific account to a specific individual, typically a manual process with actual email applications. Unlike common phishing lures that are spammed out in bulk using mass mailer scripts or networks of spambots, these customized spear phishing lures don't exhibit tell-tale signs or volumes that assist in identification and blocking of most fraudulent emails. These email messages may come from outside networks using look-alike domain names impersonating the domain names used by the targeted organization or a vendor/supplier. However, they are also frequently sent from within the actual targeted organization, using a compromised account or email server, and never cross the network perimeter where email content filtering controls are positioned to inspect and quarantine potentially fraudulent messages and malicious attachments.
Although some phishing attacks will include a simple HTML phishing form as an attachment, the vast majority of phishing lures contain links to phishing pages (or redirects to phishing pages) designed to harvest the victim's credentials and other information.
Spear phishing lures rarely include links, but when they do, they may only lead to legitimate websites and are used to reinforce some relationship to some legitimate organization in order to gain confidence. Instead, some 94% of spear phishing lures include email attachments.
Specially crafted PDF documents or Office documents – often Microsoft "OLE" (Object Linking and Embedding) format files like Word documents, PowerPoint presentations, and Excel spreadsheets – are the most common form of spear phishing attachments.These include files with exploit code which executes silently and automatically and macros that the user is socially engineered into activating.
Payloads like these email attachments are often chosen and configured for specific target environments, again, based on extensive reconnaissance performed by the attacker. For example, they may employ tricks to bypass detection by a specific anti-virus vendor's technology used in the target environment; or exploit code may be customized to work with specific versions of applications or on specific platforms (like a specific version of Windows) used by the target organization.
Previously unknown and unpatched vulnerabilities, called "0-days," are immensely valuable to the sophisticated hacking crews behind the attacks which rely on spear phishing. They are only used where necessary, against hardened targets that have implemented good patching and maintenance processes. In fact, only 12% of spear phishing attacks by APT (advanced persistent threat) hacking crews have used 0-day exploits in their payloads.
A tactic more common in spear phishing exploits than anywhere else is the use of "distractors." This is where the exploit code contains instructions to create and replace itself with a non-malicious copy of the attachment, often containing appropriate subject matter, which if analyzed as part of an incident response, shows no signs of foul play. This is an attempt to evade analysis and throw investigators off the trail.
In the case of business email compromise (BEC) attacks, however, there is no technological exploit. The attached PDF files contain wire transfer instructions designed to exploit people and processes, but are otherwise completely standard documents containing no malicious code at all.
What happens next?
In the case of wire transfer scams, large sums of money often makes its way out the door through an authorized employee through legitimate channels. If the organization is lucky and catches the scheme soon enough, some of the funds may be recovered but not without significant efforts. In other spear phishing cases, the cybercriminal will often lurk in the system and gather intelligence or steal data over time. Organizations falsely assume that once in the system, the cybercriminal will make enough "noise" to be identified.
In a future post, we will share some specific examples of spear phishing and business email compromise attempts as well as discuss best practices for protecting employees and your organization. We also have a recorded webinar discussing a new approach to protecting against targeted attacks. Download the video here.