As we discussed in a previous blog post, cybercriminals have recently spent more time zeroing in on a specific target and deploying spear phishing attacks which have resulted in a surge of high-profile security breaches and/or major fraud schemes leaving organizations with millions in financial losses. For attacks that aren’t financially-motivated, such as those often carried out by nation-state actors or hacktivists, target selection is based on operational and strategic objectives. Targeting in financially-motivated attacks is much more dynamic with multiple variables that can factor into the decision. In this post we’ll explore some of those factors and how the attacks are delivered.
Identification of targets
Spear phishing attacks require much more up-front time and effort identifying targets compared to mass phishing attacks. Cybercriminals are going after "the big fish" rather than casting the net wide for several small fish. They base their targeting on a variety of criteria which can include but are not limited to:
- Size of organization - target mid-size to large organizations (over 1,000 employees).
- Size of supply chain network - organizations with high volumes of third-party vendors.
- Security practices of the organization - cybercriminals look for organizations where it's likely that "exceptions" will be made to deviate from standard security practices/procedures.
- Seniority level of target - generally look for executives or senior-level with authority.
- Target's accessibility to the network or funds - examples include system admins, accounting staff and executives
- Volume of foreign financial transactions - generally look for high volumes so that funds going to a foreign account would not be suspicious.
Figure 1. Cybercriminals gather intelligence on spear phishing targets through a variety of sources.
Target attack payload prevalence
Ninety-four percent of targeted attacks use email to deliver either an unsafe URL, attachment or some variation of the two. After the targets are determined, miscreants will craft an email specific to each target and include the malicious payload. Attachments are meticulously crafted to slip past email content filtering tools. Once downloaded, it will perform the actions that the attacker desires and then it will overwrite itself with a benign file. These non-malicious documents are just distractors designed to throw off anyone investigating suspicious activity.
Some spear phishing attacks are designed for the sole purpose of recon or social engineering quests; it’s not the initial vector of attack, it is simply used as an intelligence-gathering tool.
Business email compromise (BEC) attacks are a different form of spear phishing that involve no malicious payloads but instead exploit the target, his or her position or access rights as well as circumstantial situations, e.g. travel schedules of executives that may require a break from normal security procedures.
Spear phishing example
PhishLabs recently analyzed a suspicious email received by an executive at a client organization. The spear phishing email contained a URL that (if clicked) would download a ZIP file. The ZIP file contained a Windows executable that has strong ties to the NetWiredRC Remote Access Trojan (RAT) malware family. The Trojan would allow the miscreant to perform keylogging, file downloads, and complete remote control on the infected machine.
Figure 2. Spear phishing email example.
Figure 3. Fake invoice associated with spear phishing email.
Business Email Compromise example
We previously blogged about a specific BEC attack. Examples of targeting, illustrations of lures used, and other threat indicators typical of recent BEC attacks can be found here: http://blog.phishlabs.com/targeted-wire-transfer-scam-aims-at-corporate-execs. Federal law enforcement officials and the Financial Services Information Sharing and Analysis Center (FS-ISAC) recently released an alert to heighten awareness around the continued rise of BEC attacks.
Figure 4. Business email compromise example.
What can be done to protect employees and organizations?
Most of the available controls that will prevent BEC are simple finance department policies, for example:
- Two-party authorization should be required for wire-transfers over certain amounts.
- Two-party authorization should also be required to add new wire destinations.
- Email must never be permitted as a means to communicate changes to wire destinations or to initiate financial transactions.
When spear phishing comes from outside networks, as in many of the BEC attacks, many email content filtering solutions have the ability to identify and flag spoofed domains. Email content filtering controls can also be configured to treat the messages more suspiciously using technologies like SPF and DMARC. This would have drastically reduced losses in a large number of these cases. Before technological controls can be enabled to leverage them, however, these types of safeguards (like DMARC) have to be implemented correctly, and that's not an insignificant undertaking.
Another approach is collecting a set of behavioral patterns and static indicators to create threat-specific filters. With visibility into these specific threats, PhishLabs has been working with vendors of email filtering solutions to make sure the information required to confidently flag these messages is available. We also recommend quarantining emails that contain wire transfer instructions for additional review as well. There are certain artifacts common in these scams that can be used for filtering in the future.
With targeted attacks proving high returns for cybercriminals, we can expect that this type of attack will only continue to rise. A new approach is needed to protect employees from being exploited. To hear more about protecting employees and your organization against spear phishing attacks and data breaches, view this on-demand webinar on Spear Phishing Protection from PhishLabs.