Phishing attempts are constantly being improved and made more sophisticated and personalized. Currently, carefully crafted spear phishing emails are being spread posing as airlines and financial departments. The attempts go so far that they imitate internal corporate travel and expenses systems. The end goal is always the same – delivering malware and stealing personal information from targets.
Spear Phishing Becomes Highly Personalized and Very Successful
The described airline phishing attack has been disclosed by Barracuda researchers. The attackers have included various techniques in their arsenal with the purpose of stealing sensitive details from victims and infect them with an advanced persistent threat.
Here’s an example of a subject line used by the phishers:
Fwd: United Airlines: Confirmation – Flight to Tokyo – $3,543.30
The attack is made of the following techniques:
- Impersonation. Attackers have initially researched the targeted organization’s structure and communication patterns. This is how emails become highly personalized leading to a very high click rate, over 90 percent, representing one of the highest phishing click rates ever.
- Malware delivery. In this campaign, a piece of APT (Advanced Persistent Threat) is dropped onto the network once the attachment is opened.
- Classical phishing. The attackers depend on the legitimacy of their emails to gather login credentials via a fake login page. Once these credentials are in the hands of the criminals, further access to internal and sensitive company data is granted.
The attacks that included links to a phishing website were designed to imitate an airline website, or in other cases, the expense or travel system used by the targeted company. This way the victim is lured into entering login credentials thus expanding the attack surface. As a result databases, email and file servers could be compromised.
What Could Organizations Do to Prevent Spear Phishing/ APT Attacks?
Organizations should employ a multi-layered security plan so that such attacks are prevented. The first layer of protection is sandboxing, followed by APT prevention. There are also advanced phishing engines that offer link protection which will search for websites with malicious code. Employee awareness and training shouldn’t be underestimated, too.