OPSWAT Targeted with Advanced Spear Phishing Attack

Whether we like it or not, spear phishing attacks are on the rise and are becoming more sophisticated. Thanks to social engineering, hackers have been able to successfully manipulate people into handing over confidential information and opening malicious email attachments, supported by the wealth of personal data that is now available via the internet. It's easy to find out what kind of power an individual employee holds by looking at their job title and their duties, which you can easily find on social media sites, their blog, or on a company's website. Though anyone can be the victim of a targeted attack, those who work in accounting or finance positions are becoming increasingly common targets.

Verizon's 2015 Data Breach Report shows that phishing campaigns are still surprisingly effective. Verizon reports that 23% of included recipients were found to have opened phishing messages and no less than 11% clicked on corresponding attachments. In addition, if a hacker sends out 10 emails, there is an astonishing 90% chance that at least one person will fall victim to their attack. The Verizon report also demonstrates that phishing attacks produce extremely fast results. Two of Verizon's security awareness partners sent out 150,000 phishing emails to see how many people would open the emails and what percentage would click on the links inside them. The data showed that 50% of recipients opened the email and clicked on phishing links within the first hour, with the first clicks coming in after only one minute. This reports proves just how easy it is for hackers to gain access to PII via simple phishing attacks, especially because it can be hard to monitor the email activities of a large workforce.

Earlier this year, I got some firsthand experience dealing with a highly-targeted spear phishing attack. The storyline below follows the specific emails I received as well as my communication in response to the attack. I thought it would be beneficial to share my experience and offer advice for avoiding this type of attack so that others can know what to look for if they are ever placed in this type of situation.

Phishing Attack Details:



As the CFO of OPSWAT, I often receive wire transfer requests from various executives, including our CEO, that require my approval. Of course, just because I approve this type of request frequently, doesn't mean I ever get to let my guard down.

Back in January, I received what I thought was a routine email. It appeared to be from OPSWAT's CEO, Benny Czarny, requesting that I wire him money and asking when I would be able to complete the request. At first, I wasn't suspicious of the email as it matched the writing style of our CEO almost exactly. The only thing that seemed off to me was the signature. Benny doesn't usually sign his last name in his emails to me, but this detail was so minor that I didn't pay much attention to it.

Image 1: Click to enlarge

Since I was not yet suspicious that this might not be a legitimate email, I replied as I usually would, requesting Benny to send me the proper info to complete the wire transfer request.

Image 2: Click to enlarge

The attacker promptly replied with a transfer amount and asked how much time I would need to complete their request once I received the details. At this point, I was starting to doubt the authenticity of this email. I clicked to reveal the details of the sender's email address and found that the email didn't match Benny's; the email was actually from c_e_o_private1[at]outlook.com. In order to confirm my suspicions, I decided to pay a visit to Benny's office to get confirmation that he had not initiated the wire transfer request. Benny quickly confirmed that the request was not from him and I knew that we were dealing with a sophisticated spear phishing attack. Instead of deleting and ignoring the email, I decided to communicate with the sender to see if I could glean any further details by asking them to get me the complete payee info by 1pm that day.

Image 3: Click to enlarge

Image 4: Click to enlarge

Image 5: Click to enlarge

Image 6: Click to enlarge

*Some account details not shown on image above for privacy reasons

The sender replied with details for a specific bank account. I replied by asking for a note of reference for the wire transfer and for which department this transfer was for.

Image 7: Click to enlarge

The sender tried to avoid naming a specific department, as they were obviously not familiar with the specific titles of our departments, and tried to get me to reference the transaction directly to Benny.

Image 8: Click to enlarge

I replied asking them to specify which department they would like me to charge the transfer to, and then gave them two department numbers to choose from. Little did they know, the department numbers I had sent them were completely fake. My reasoning behind asking the sender for a specific department to charge the wire to, was to assess how much detail they knew about our accounting department and bank wire system. Any additional data I could gather at this point would hopefully give investigators the information they needed to find and stop the hackers.

Image 9: Click to enlarge

Image 10: Click to enlarge

When the sender replied that the wire transfer was to be charged to one of the fake departments I had listed, I knew I had proof that this was a scam. I then decided to cease all communication and reported the attack to AppRiver, a SaaS provider we use for email security, to notify them of the attack and to make sure the proper steps were taken in safeguarding our company and employees from future threats. In addition to contacting AppRiver, I filed a report referencing the attack to the Internet Crime Complaint Center (IC3), which is a division of the FBI.

I found the whole experience to be very eye-opening, so I wanted to share a few recommendations that I think will help other companies identify this type of attack.

Tips on How to Stop a Spear Phishing Attack:



1. Practice Good Internal Communication

There is never a good replacement for in-person and open communication. If I hadn't gone to our CEO's office and asked him directly about the wire transfer, I would have spent even more time communicating with the attacker, and could have possibly revealed sensitive company information. If you are trying to contact someone who is out of the office or works remotely, I would recommend utilizing a variety of communication tools/modes to verify the identity and veracity of an email communication, such as messenger tools, phone calls, video conferencing, etc.

2. Learn Personal Writing Styles

Once you have been in communication with someone over email for a substantial period of time, you will start to recognize their writing style. When you receive an email requesting money or other PII, look for things that seem uncharacteristic of the sender. Are they suddenly not using their email signature, signing with their last name when they usually don't, or are they using punctuation differently? Looking for changes in style can help you to identify spear phishing attacks sooner. After all, you probably know the sender better than the hacker does in this situation, which gives you the upper hand—as long as you are paying attention!

3. Have Proper Accounting Controls in Place

I can't stress enough the importance of internal accounting controls. If you are connected to the company's finances, chances are that you are going to be higher on a cyber-attacker's target list. Segregation of duties is key; never give the power to fully approve a financial transaction to just one individual. For example, even if I had fallen for this this scam and had approved the wire transfer request, it would have still required additional verification by someone in our accounting department. Controls like this may help save the day in case of a human error.

4. Cybersecurity Training for Employees

Accounting controls are extremely important, but the reality is, any department can be hit with a phishing attack. That's why it's important to invest time in creating an effective cybersecurity policy for your employees to reference. Teaching employees about things like password management, how to deal with lost or stolen devices, or how to correctly apply patches and updates are all critical to your company's protection.

5. Invest in Email Security Software

Investing in email security with antiphishing technology can help you mitigate the risks associated with human error by acting as a checkpoint for all email flowing in or out of an organization. Organizations can also utilize the power of multi-scanning (scanning for threats with multiple antivirus engines) as a second layer of defense for their existing email security solution, to scan email attachments for malware, and perform document sanitization and file type verification. Document sanitization cleanses infected files from possible embedded threats so that they are free of malware, where file type verifications acts as a guard against spoofed files, such as .exe files disguised as PDFs.



With the above tips at your disposal, you should be able to greatly decrease the likelihood of being tricked by spear phishing attacks. If a threat happens to get through despite taking the appropriate security measures, make sure to trust your instincts when deciding if an email is trustworthy or not. Chances are, if something doesn't feel right then there is a high likelihood that the email is fraudulent!

Part II: Targeted Spear Phishing Attacks Continue: CEO Scam Update