Europol’s EC3: Spear phishing remains the principal attack vector for cybercrime
Spear phishing is a real threat. It remains the principal attack vector for cybercrime and can cause significant harm to an organisation as a result. It has been unveiled by Europol’s EC3 report on the phenomenon. According to the cyber security experts, since spear phishing is such a commonly used vehicle for the perpetration of subsequent attacks, it is a threat that affects all industries. Additionally, sophisticated campaigns are often perpetrated by organised criminal groups, which are aiming to exploit this technique to generate large illicit profits. The success of these attacks rely heavily on the criminal’s ability to effectively deceive the target. So they use social engineering to convince the target to trust the sender of the email as well as its contents. And the information required to identify the right targets, as well as to create convincing spear phishing emails, is in most cases easily found online.
The BEC or CEO fraud
According to Europol, once cybercrime identified the targets, spear phishing emails can be sent out. Generally, an organisation can be breached in two ways: from the outside (i.e., phishing email sent from an external email address) or from the inside (phishing email sent from an email address belonging to the organisation). The latter is often used for fraud and referred to as Business Email Compromise (BEC or CEO fraud). BEC is often aimed at convincing employees to transfer large sums of money to the criminal’s bank account, making use of the fact that an email coming from a trusted address. It has also been used to passively monitor an organisation’s activity for the purposes of intelligence gathering. In most cases, fraudsters gain access to email accounts of an organisation’s employee, mainly as a result of obtaining leaked credentials on the usual dark web market places and similar communities.
The cyber security experts: Spear phishing attacks may also make use of more technical means to gain access to an organisation
Spear phishing attacks may also make use of more technical means to gain access to an organisation. In general, we can distinguish two different technical MOs: files with attachment (which, once opened, infect the target) or files without attachment (containing links or requests to browse to a website). Regarding the BEC, the attack relies heavily on its ability to successfully deceive the target. The attacker aims to generate trust by reproducing familiar and trusted content. As such, the email may be formatted in a way to appear as though it was sent from a trusted bank, insurance or other third party, usually with a request to follow a link to a website. These links may appear legitimate and entice the target to click on them since they might be subdomains of legitimate websites (subdomain attack), look similar (homograph attack or misspelled URL), be shortened (with the help of services such as tiny URL or bitly) or hidden in an image (such as company logo or a login button).
The malicious campaigns work exploiting a replica of a trusted website (phishing site) with legitimate branding or through email with a weaponized attachment
Once the target has clicked on the fraudulent link, a replica of a trusted website (phishing site) with legitimate branding usually appears with a prompt to enter login credentials or other sensitive information (including security questions, ID documentation and credit card details). In addition to appearing trustworthy by spoofing the look and functionality of legitimate websites, the use of Secure Sockets Layer (SSL) by phishing sites, encrypting traffic between a user’s browser and the site, further deceives the target into believing a website to be legitimate. Finally, an attacker may aim to get the target to download and open a malicious file in order to gain access to the system in question. The attached file may be disguised as an invoice or other business-related document, or even target an employee’s specific personal interests. The malicious attachment, once opened, will then execute a script to infiltrate the target’s system.
Spear phishing sometimes include also ransomware attacks
Depending on the goal of the attacker, the attacker may choose to encrypt the target’s files and demand a ransom payment (ransomware), escalate access rights and take remote control over the target’s system (Remote Access Trojan), steal relevant credentials (key loggers), or monitor the network and gather as well as extract files. While the execution of each of the two categories of attack differs slightly, they are often linked and one may be used to facilitate the other.