While hackers often employ mass, undifferentiated phishing schemes to trick email recipients into divulging personal information or clicking on links that download malware, some have gotten increasingly sophisticated.
They have taken their phishing attempts to the next, more threatening level by utilizing spear phishing, or business email compromise attacks. Spear phishing differs from regular phishing in that they are highly customized attacks, targeting specific recipients referencing people and projects that they know. Hackers are able to glean this information quite easily from social media profiles, including LinkedIn and Facebook.
In a spear-phishing attack, a recipient gets an email that looks like it is from their colleague Joe. The company has a bring-your-own-device policy, so employees are able to use personal mobile devices, and often inadvertently send emails from their personal accounts. In this case, the hacker knows from LinkedIn that Joe’s personal email address is joesmith1@gmail.com and creates a Gmail account for joesmith.1@gmail.com. The recipient doesn’t notice the difference, and the stage is set for the attack.
The email mentions a project they’re working on together and requests that the recipient review a document, which is attached. When the recipient opens the document, his computer is exposed to malware, but he doesn’t know because the malicious actor has no incentive to shut the device down. Rather, it sits in the background and the longer the recipient does his work, the longer the malware is logging his keystrokes and the more information “Joe” is receiving about his company.
Spear phishing was the delivery mechanism for the powerful
According to
In this way, the initial attack from “Joe” might enable the hacker to figure out who is in charge of the funds transfer desk. Then, after spear-phishing that individual, the hacker can learn not only the bank’s SWIFT passwords, but also the unique workflows that the bank uses to process transfer. They grab screen shots of SWIFT terms and learn exactly how a specific bank moves money around — who has approvals and so forth.
In order to avoid detection, the amount stolen at any given time in the Carbanak hacks was often quite low. For example, a gang might add $8,000 to someone’s account and then quickly arrange for it to be cashed out at ATMs they controlled. By the time anyone noticed, it was too late.
Of course, small losses can add up, but it’s often not just about the money. Cash losses could be the least of a major financial institution’s problems, because a breach of this kind becoming public could also result in reputation damage, loss of customers, civil liabilities, SEC investigations and penalties under the Gramm-Leach-Bliley Act.
This is a frightening prospect, but there are ways to prevent spear phishing from happening to other financial institutions or payment services organizations. Unfortunately, it will take more than reputation or fingerprint-based email security. These tools won’t catch a spear-phishing email because they’re not known, mass attacks sent from bad IPs. They are one-off, highly personalized messages that are very well crafted, and don’t contain any malicious attachments or phishing links. The trick is to leverage predictive email defense capabilities that establish normal behavior patterns with respect to the people your employees communicate with, so that you can then detect and alert users to even the subtlest of anomalies.
