I was inspired to write this article by a colleague who recently raised the subject of ransomware, i.e. an attack delivered via phishing emails. Everyone must have heard about emails containing fake invoices for telecommunications services or courier deliveries. This time, I will not address the topic of mass-mailing campaigns, instead focusing on highly targeted attacks, directed against a specific organization, department or individual, often holder of a high-ranking position (board member, director of finance, chief accountant).
SUMMARY:
- There are two main types of phishing attacks: mass mailing (e.g. the above-mentioned fake invoices) and targeted attacks, also referred to as spear phishing, or sometimes whaling.
- The latter type of attack is usually much more carefully planned, prepared and more difficult to detect by a user who does not specialize in IT or security.
A spear-phishing attack – the case of company X
These events took place some time ago in Poland. The board of company X believed that the technical and organizational security measures they implemented were sufficient, despite the concerns raised by the security manager.
A cybercriminal browsed through employees of company X. Most likely using publicly available information, such as the company website, National Court Register KRS, social media like Facebook and LinkedIn. For their victim, they chose a high-ranking employee with powers to authorize bank transfers, hereinafter referred to as the Director.
The cybercriminal, through a series of carefully prepared spear-phishing messages sent to the Director’s business email address, obtained passwords to the web portals he used (including in private life). One of them was identical to the password of his business email account (which was very careless), and company X did not use multi-factor authentication, which the hacker quickly took advantage of.
Impersonating the Director, even imitating his writing style, including the use of emoticons, they instructed the accountants to transfer funds to a specific account.
Without any suspicion, the accountants effected the transfer. And probably no-one would be any wiser until the next audit if the criminal had not got greedy. Encouraged by the first success, they repeated the operation, increasing the amount severalfold. The amount was so high that the transfer had to be authorized by a second person, which the criminal was not aware of.
This triggered a quick verification. It turned out that the Director did not order a transfer, and knew nothing about it. Once the message was sent to accounting, it was deleted from his mailbox. Subsequently, internal audit discovered that this was not the first case, and a certain amount had already been irretrievably lost. Only then did company X decide to engage advisors and increase the security of its processes.
Spear-phishing attacks – can you protect yourself against them?
To make a long story short – no. Was it possible, in our story, to improve security (not only technically) and reduce the risk of such an incident? Yes.
How? Here are some tips:
- Exercise caution, even with regard to superiors and close associates. Each non-standard behaviour may represent a fraudulent attempt.
- Confirm instructions if you are in any doubt, by phone or in person. If someone gains control of your mailbox, every email may be intercepted and every reply may be manipulated.
- Use diverse and strong passwords in every service you use (whether in business or personal life). Use passphrases.
- If you cannot remember all the different passwords, use a password manager, there are several noteworthy free solutions.
- Systematically raise employee awareness of threats through training, social engineering tests and other awareness-raising measures.
- Develop procedures to prevent cybersecurity gaps, particularly in processes generating high risks for the business (not only related to bank transfers).
- Train your staff on new procedures and monitor compliance.
- Use anti-spam solutions in your business mail.
- Enable multi-factor authentication.
- Systematically verify security levels, reliability of procedures and technical solutions and make improvements.
- Systematically verify online information about your employees who represent high risk for the organization because of their scope of authority, for instance through open-source intelligence (OSINT).
You might also want to consider insurance against cyberattacks. While it does not protect you against an attack, it will limit its consequences. Some policies cover not only the costs of handling the incident and resuming operations, but also other expenses, such as ransom in the case of ransomware attacks.
More and more criminal groups specialize in these meticulously planned attacks to maximize the chances of catching their whale.
All we can do is proactively raise security awareness and build successive walls around our homes and businesses, and then audit their effectiveness.
AUTHOR: Marcin Mańko, Senior Consultant, Digital consulting
