Some Information about Spear Phishing (Targeted Phishing Attacks)

Most malware and phishing attacks/traps are not specifically targeted.  Scammers cast their net as wide as possible to catch the most fish.  They portray themselves as the most common players in the industry (Microsoft, Apple, Symantec, DocuSign, etc) or like some of the most common service providers (FedEx, UPS, Netflix, etc).  They play the numbers to give themselves the best odds of catching a victim.  However, in that scenario, they don’t know who or what they are going to catch.  Generally they are going to get the smallest fish that are most vulnerable to attack.  Larger fish are going to be more savvy have better tools and policies at their disposal to look out for such scams.  Catching a big fish requires a larger investment in time and more focus on detail.

Targeted phishing attacks are generally referred to as “spear phishing.”  They pick their target specifically and pinpoint their attack to try for the bigger fish.  They generally use similar methods of brand impersonation (possibly pretending to be suppliers or customers), but, sometimes they impersonate other staff members or executives within the organization.  They use urgency, intimidation and potential embarrassment to get the victims to act quickly without thinking more deeply into their actions or the consequences.  They might pretend to be the victim’s boss and make a request via email with a subject like “…I need you to transfer money to a new supplier ASAP!!…” with a message that might read “…I need you to transfer money to a new supplier to get the pieces coming for a big project.  Keep this quiet as the project is still under the radar.  I trust you to take care of this as soon as possible…” and maybe even with a signature line that indicates why the message is short, the voice reads differently than their normal correspondence and their typical corporate signature is not included on the message like “Sent from my iPhone.”  A sudden request to transfer money might be too deep, so, they may opt for something seemingly more benign. “…Use the corporate account to buy fifteen $100 Amazon gift cards for me to give out as bonuses.”  “Reply to this message with the gift card numbers as soon as you can so that I can start getting them processed.”  “Between you and me, one of these is for you.”  This time they are able to use the standard email signature you expect as they were able to glean it from other corporate correspondence they have found while researching your company as a target.  Maybe they use the logo they just copied from your website.

Another tactic is blackmail.  This could come in the form of “I have access to your account, your password is “passw0rd”.” (On a side note, if that is your password for anything, go change it now! =).  When there is a large data breach the data the data is bought, sold and shared all over the dark web.  If your email address and password for a large retailer was compromised, it’s probably out there. Scammers will collect this information and use it to email you a password that was breached (and hopefully changed) many years ago.  However, if you use the same password for multiple systems (again, if this applies to you, go change your passwords and make sure you don’t use the same password for multiple logins), or if you aren’t thinking and recall using the password they provided, you might be fooled into thinking they really do have your login credentials.  One tactic we commonly see is to spoof the sender address to make it appear that it has been sent from the victim’s own account.  Then, by conveying a sense of urgency and maybe the potential for embarrassment, they convince you to follow their demands. “I have your password.  I logged into your account and got control of your computer’s camera.” I don’t know how a someone would think a password for their Target account would give someone access to the webcam in your computer is mind boggling, but again, it’s the lack of applying good logic here that is the trick. “I have compromising pictures and videos of you from your computer’s webcam.” “If you don’t send me two Bitcoins within 24 hours I am going to post the videos to the Internet and send links to everyone in your address book.”  Too embarrassed to tell anyone else what has happened (or has supposedly happened) and with the clock ticking, the victim pays the scammer.

How did this get past all the edge defenses the company put in to protect the company from outside threats?  First, the email messages described above contained no malicious payload.  There was no attached virus or malware for the filters to flag.  The messages come from a zero-day web link or email address (a web link or email address that was created very recently and had not previously been flagged as malicious).  The email came from a trusted domain (like Gmail or Hotmail).  The link points to a high reputation domain (like a major web host that sells hosting services) or maybe a new domain that hasn’t been previously flagged. The message isn’t sent to 500,000 addresses at once (as typical large scale phishing scams would be). Without these flags that the filters are on the lookout for, the message is allowed to make it to the victim’s mailbox.

What do they want?  While access to corporate accounts is uncommon (unless you are targeting the head of the accounts payable department), there may be other valuables or valuable information that can be gained.  Gift cards are an increasingly common request.  As soon as the scammer has the card information it can be nearly as liquid as cash.  Bitcoin (BTC) is a common request.  Although it’s tougher to acquire, it provides for an untraceable conduit to transfer money.  The value may be in the form of information.  Maybe it’s a targeted attack at the human resources department requesting W2s or Social Security Numbers or other useful information.  Maybe it’s a request to change the direct deposit account for an employee’s paychecks to an account controlled by the scammers.

Are targeted phishing scams more common at certain times of the year?  Along with the focus on individuals, scammers have opportune times of the year to strike as well.  April 15 is well known as “Tax Day.”  An email on April 16 claiming to be from the IRS, claiming they didn’t receive your tax filing could be enough stress and urgency to get an otherwise savvy user to click on a link in a panic.  Everyone is expecting packages around the holiday shopping season.  A well timed email claiming to be a major retailer or shipping company saying there is a delay with or cancellation of your order may again cause panic to set in and unwise clicks to be made.

How do you avoid falling victim to this type of targeted fraud?  There are some things to look for that can prevent falling victim to a scam like this.  The two most important things are to be aware that such scams exist and taking the time to look in more detail.

Be leery of messages that convey urgency.  They are designed to get you to act without thinking.
“…What?!? the package is delayed?!? That’s probably the necklace I ordered for my wife for our anniversary tomorrow!!…”

Look for unusual email addresses (even to the point of a misspelling of the domain).
“…Wait, this isn’t from shipping@fedex.com, it’s from shipping@fedexx.co…”

Look out for vague amounts of information that ask you to follow a link to get more details.
“…Wait, there isn’t an order number or a tracking number… and didn’t that ship from another carrier?”

Look for links that claim to point to one location, but, really point to another.
“…Wait, when I hover my mouse cursor over the “FedEx Track Now” link it points to some crazy page on a site I’ve never heard of…”

Look for other oddities in the message that don’t add up.
“…Wait, the message subject says “RE:” as though it’s a response to a message I sent, but, I didn’t send a message to this sender with that subject…”

Find other channels of communication to verify unusual requests.
“…Wait, why would Steve in Production want to change direct deposit information for another employee?  Maybe I should call him to confirm what he wants…”

This is a topic that has so many facets that it can’t really be covered in a single article.  Most of the information here references phishing email.  Scams of this nature can occur over the phone, via FAX or via virtually any method of communication.  It is advisable to consider awareness training within your organization and maybe even discuss or consider phishing simulations and how to close loop holes in communication both inner-office and inter-office.  Discuss how different kinds of information or requests will be made and how they can be independently corroborated.  Encourage staff to report suspicious requests or unusual requests.  Be aware, these types of targeted scams are occurring more and more every day. -Jayson