Gone are the days of easily recognisable phishing emails, filled with bad grammar and spelling mistakes; welcome to a world of properly targeted, personalised campaigns that are much more believable and, to the victims, much more devastating.
What used to be a fairly easy threat to counteract through simple education, the latest phishing campaigns are becoming increasingly targeted at industry sectors or specific companies, where the motive is financial gain.
This targeting of phishing campaigns makes them spear phishing, and the technique is being increasingly seen right across the world, rapidly displacing its mostly ineffective parent.
Spear phishing emails introduce a commercial spyware kit on victim computer systems, which starts trawling for business data that could be valuable if resold on the black market. The main difference between phishing and spear phishing is the targeting of campaigns to particular victim demographics.
Criminals know that it’s easy to scrape social media platforms such as LinkedIn to acquire employee details, which are then used to automate their spam campaigns. This allows them to target individual companies or industry sectors, using emails automatically customised with the victim’s name, corporate address, contact details, etc.
The email will appear to come from a person or company that would typically communicate with the target, such as a bank, supplier or customer, used to dupe the users into opening the malware-laden attachments.
Operation Ghoul, discovered by Kaspersky Lab researchers, is an example of a recent spear phishing campaign that is targeting industrial and engineering companies in 30 different countries.
The criminal gang behind Operation Ghoul has been under surveillance since March 2015, Kaspersky reported. Yet this latest campaign, which started in June, differs from its status quo because email messages are sent to top and mid-level managers. They include a supposed payment notice accompanied by a SWIFT document from a bank in the UAE.
Once the victim opens the email attachment, they are infected by the HawkEye spyware, which is programmed to collect key strokes, clipboard data, credentials and account data from browsers, messaging clients and email clients.
Data is then exfiltrated to the command and control server from where it can be packaged and sold on the black market for profit. This particular campaign has targeted senior managers and executives, since the attackers know these are the staffers that have access to the most valuable information, such as intellectual property, contracts and financial accounts.
Operation Ghoul is only one among several other campaigns that are supposedly controlled by the same group, Kaspersky said.
It would seem that the criminal fraternity has now evolved its techniques from a few years ago, when carpet bombing as many emails addresses as possible with spam was the primary modus operandi. Now they use fully personalised and targeted campaigns, which take a little more investment in time up front, but offer much more profitable results.
And this is just one of many attacks targeting our businesses. Furthermore, none of the security companies have a solution to this kind of attack.
If the malware has been modified and newly compiled so that no signatures exist, it will evade traditional security technology and will compromise the target if run. AV vendors will always be playing catch-up on new malware variants, hence why Kaspersky Lab’s primary recommendation here is for “users to be extra cautious while checking and opening emails and attachments".
Which is why security awareness is the best line of defence. If your staff have a natural and intrinsic level of mistrust of everything that drops into their inbox, especially if it comes from an external source, they’ll be better equipped to spot these attacks.
Without security awareness education and testing of end user understanding, the criminals will continue to evolve and improve their campaigns, and it won’t be long before your company is the next to fall foul of their efforts.