The Electronic Frontier Foundation (EFF) has reported that activists at Free Press and Fight for the Future were hit over the summer with a targeted spear phishing campaign that involved nearly 70 phishing attempts. If you haven't read their report, you should. Very few organizations would come out of the same situation unscathed.
Kudos to the EFF team for (A) thwarting the attack and (B) sharing it so the world can see how persistent and sophisticated these attacks can be.
The campaign used fake Google, Dropbox, and LinkedIn login pages to steal credentials. This is a common first step. Those services can reveal additional targets and be used in a myriad of ways to progress towards the threat actor's objectives. Given the prevalence of password re-use, it's also likely that credentials stolen from these services could be used to access other systems of value to the actor.
To drive targets to those phishing pages, the threat actors got creative with personalized email lures. One target was a musician, so the phishing lure sent her way asked for a link to buy her music. She replied with a link. They replied back claiming it didn't work and replaced the link with a Gmail phishing page, hoping that she would enter credentials.
Another lure posed as a YouTube comment for a real video that the target had uploaded. One lure even spoofed the spouse of a target. These were in addition to many more clickbait lures tailored to the political leanings of the organization.
The analysis done by the EFF team is a good example of how organizations should respond to phishing attacks. It's not enough to just delete phishing emails. They need to be treated like any other security event. They should be analyzed and investigated quickly to assess the threat so that the appropriate steps can be taken to mitigate risk. Indicators of Compromise need to be identified and used to protect the organization. Threat intelligence such as TTPs, campaigns, and actors needs to be established so that future attacks can be identified and countered more quickly.
The EFF was subjected to a month-long campaign. But by closely monitoring and investigating the phishing attempts, they were able to weather the storm.
I'm sure this is not the first time the EFF has been targeted, nor the last time. They have clearly invested in the technology, people, and processes needed to be more resilient against phishing attempts.
But if your organization was targeted by a similar advanced persistent phishing campaign, how would it fare?
If the answer to that question makes you uncomfortable, you aren't alone. Many organizations are not prepared to prevent, detect, and respond to targeted phishing campaigns.
PhishLabs helps organizations overcome this with 24/7 managed security services that stop phishing attacks. Here's how it works:
- We condition employees to recognize and report phishing attacks that email and network security tools miss.
- We monitor those reported phishing attacks around-the-clock and respond immediately to threats.
- Our experts analyze phishing threats and identify IOCs that can be fed via API directly into security technologies for near real-time protection.
- We deliver IOCs from attacks we analyze globally to proactively block attacks that use known phishing infrastructure.
Need help? Talk to one of our experts to learn more about how your organization can use PhishLabs to protect against phishing.