Phishing and spearphishing: Delivery vehicles for ransomware, theft and more

Everyone has received those crude emails claiming to be from your bank’s “Secuirty Team” that tells you that you need to click a link to “reset you account password.” It’s pretty easy to spot those emails, with all the misspellings, the terrible formatting, and the bizarre “reply to” email addresses at domains halfway around the world. Other emails of that sort ask you to review an unclothed photo of a A-list celebrity, or open up an attached document that tells you what you’ve won.

We can laugh, but many people fall for those phishing scams — and willingly surrender their bank account numbers and passwords, or install malware, such as ransomware.

Less obvious, and more effective, are attacks that are carefully crafted to appeal to a high-value individual, such as a corporate executive or systems administrator. Despite their usual technological sophistication, anyone can be fooled, if the spearphishing email is good enough – spearphishing being the term for phishing emails designed specifically to entrap a certain person.

What’s the danger? Plenty. Spearphishing emails that pretend to be from the CEO can convince a corporate accounting manager to wire money to an overseas account. Called the “Wire Transfer Scam,” this has been around for several years and still works, costing hundreds of millions of dollars, said the FBI.

These types of scams can hurt individuals as well, getting access to their private financial information. In February 2017, about 7,700 employees of the Manatee School District in Florida had their taxpayer numbers stolen when a payroll employee responded to what she thought was a legitimate query from a district officer: “Forward all schools employees 2016 W2 forms to me attached and sent in PDF, I will like to have them as soon as possible for board review. Thanks.”

It was a scam, and the scammers have each employee’s W2, a key information document in the United States. The cost of the damage: Unknown at this point, but it’s bad for the school district and for the employees as well. Sadly, this is not a new threat: The U.S. Internal Revenue Service had warned about this exact phishing scam in March 2016.

The cybercriminals behind spearphishing are continuing to innovate. Fortunately, the industry is fight back. Menlo Security, a leading security company, recently uncovered a sophisticated spearphishing attack at a well-known enterprise. While it’s understandable that the victim would decline to be identified, Menlo Security was able to provide some details on the scheme – which incorporate multiple scripts to truly customize the attack and trick the victim into disclosing key credentials.

  • The attackers performed various checks on the password entered by the victim and their IP address to determine whether it was a true compromise versus somebody who had figured out the attack.
  • The attackers supported various email providers. This was determined by the fact that they served custom pages based on the email domain. For example, a victim whose email address was john.doe@gmail.com would be served a page that looked like a Gmail login page.
  • The attackers exfiltrated the victim’s personally identifiable information (PII) to an attacker controlled account.
  • The attacker relied heavily on several key scripts to execute the phishing campaign, and to obtain the victim’s IP address in addition to the victim’s country and city.

Phishing and spearphishing have come a long way from those crude emails – which still work. You can’t count on spotting bad spelling and laughable return-address domains on emails to help identify the fraud. The only solution will be a technological one.