Evolution, by definition, is “a process of continuous change from a lower, simpler, or worse to a higher, more complex, or better state”. When we look at social engineering tactics, specifically as it relates to email phishing, this concept could not be truer. Advances in detection software have made it possible to protect organizations from certain types of phishing attacks. One method to deter phishing emails is by rerouting emails through a proxy to scan for malicious embedded links. Another tactic has been to check incoming emails for spoofed email addresses. If the incoming email address does not resolve to a valid domain, the email is flagged and subsequently prevented from reaching its intended target.
While these tactics are well and good, and work for the most part, the latest trend in spear phishing has caught the financial industry by storm, and has been the topic of choice at several IT security conferences and seminars. By now, most of us have heard or read about the CEO and CFO spear phishing attacks, otherwise known as “CFO fraud” or the “business email compromise”. In January 2015, the FBI warned that cyber thieves stole nearly $215 million from businesses in the previous 14 months through such scams. In February, con artists made off with a whopping $17.2 million from one of Omaha, Nebraska’s oldest companies — The Scoular Co., an employee-owned commodities trader.
There are a couple of different pieces that, when put all together, form a very effective and convincing attack vector for spear phishing. The amount of information that exists online makes it easy for a scammer or phisher to find detailed information on company’s organizational chart. Social Media outlets such as LinkedIn provide a vast network of information at no cost for any individual performing reconnaissance on an intended target. The task of identifying an individual in a corporate –level role within an organization is made simple by performing a few searches. Once an executive has been identified, scammers can move onto the 2nd piece of the puzzle.
To bypass the software-based deterrents used to protect against phishing attacks, scammers are no longer using spoofed email addresses. Rather, phony domains are being established and email addresses for that domain are being used. A phisher no longer needs to mask the email address being used with a completely different source address. By transposing a letter or two in a domain, or simply omitting a letter, an attacker can now establish a seemingly identical domain and email address that might not be noticeable to an unsuspecting recipient.
Taking a closer look, let’s say someone wanted to perform a phishing campaign against my employer, Accume Partners. A potential attacker could create a domain called accumepartner.com and with that, create an email address of email@example.com that could very well deceive a potential target.
Tools such as theHarvester are specifically designed to assist penetration testers to gain information on targets by analyzing the online footprint of the intended target. By leveraging search engines and various online sources, these tools collect email addresses, names, subdomains, etc., making it simple for an attacker to build a target list. Other websites, such as Data.com provide detailed content on organizations for marketing purposes and clearly identify contact information that can be leveraged to establish potential targets.
As all the pieces of the phishing puzzle start falling into place, we see a valid domain and source email address that is able to circumvent the email security solutions that are implemented. The attacker also has a list of C-Level individuals which means that in the example cited earlier regarding the “fake” email address, an attacker could mirror the email address of a CEO or CFO with convincing effect. The harvested email addresses and the information gathered via social media websites provides the potential targets needed to execute the attack.
This method of social engineering has had astounding success. The tactics used by scammers and phishers to engage in these types of attacks have continued to evolve in order to stay ahead of the security implementations and technology designed to protect the cyber-community from these attacks. These latest advances in spear phishing tactics reinforce the belief that in order to stay ahead of the bad guys, there has to be more efforts and concentration in security awareness education so that the user-base knows what to expect and how to identify even the most convincing attacks.