While hackers often employ mass, undifferentiated phishing schemes to trick email recipients into divulging personal information or clicking on links that download malware, some have gotten increasingly sophisticated.
They have taken their phishing attempts to the next, more threatening level by utilizing spear phishing, or business email compromise attacks. Spear phishing differs from regular phishing in that they are highly customized attacks, targeting specific recipients referencing people and projects that they know. Hackers are able to glean this information quite easily from social media profiles, including LinkedIn and Facebook.
In a spear-phishing attack, a recipient gets an email that looks like it is from their colleague Joe. The company has a bring-your-own-device policy, so employees are able to use personal mobile devices, and often inadvertently send emails from their personal accounts. In this case, the hacker knows from LinkedIn that Joe’s personal email address is firstname.lastname@example.org and creates a Gmail account for email@example.com. The recipient doesn’t notice the difference, and the stage is set for the attack.
The email mentions a project they’re working on together and requests that the recipient review a document, which is attached. When the recipient opens the document, his computer is exposed to malware, but he doesn’t know because the malicious actor has no incentive to shut the device down. Rather, it sits in the background and the longer the recipient does his work, the longer the malware is logging his keystrokes and the more information “Joe” is receiving about his company.
Spear phishing was the delivery mechanism for the powerful Carbanak malware, which criminal gangs used to steal more than $300 million from banks in Russia, Japan, Switzerland, the Netherlands and the United States in 2013 and 2014. But installing the malware is not enough or even the primary goal for most spear-phishing attacks. Financial institutions are complicated environments, with numerous systems, levels of access and internal controls. It takes long-term, sustained and in-depth espionage to figure out exactly how to steal money from a financial institution.
According to The New York Times, the gangs using the Carbanak malware had to learn enough about the banks’ internal operations and staff to be able to impersonate employees who authorized payments, managed ATMs. They had to steal administrative passwords and establish enough root presence in systems to operate bank applications remotely. This likely took a sequence of spear-phishing attacks that gathered more and more credentials and detailed inside knowledge about the bank.
In this way, the initial attack from “Joe” might enable the hacker to figure out who is in charge of the funds transfer desk. Then, after spear-phishing that individual, the hacker can learn not only the bank’s SWIFT passwords, but also the unique workflows that the bank uses to process transfer. They grab screen shots of SWIFT terms and learn exactly how a specific bank moves money around — who has approvals and so forth.
In order to avoid detection, the amount stolen at any given time in the Carbanak hacks was often quite low. For example, a gang might add $8,000 to someone’s account and then quickly arrange for it to be cashed out at ATMs they controlled. By the time anyone noticed, it was too late.
Of course, small losses can add up, but it’s often not just about the money. Cash losses could be the least of a major financial institution’s problems, because a breach of this kind becoming public could also result in reputation damage, loss of customers, civil liabilities, SEC investigations and penalties under the Gramm-Leach-Bliley Act.
This is a frightening prospect, but there are ways to prevent spear phishing from happening to other financial institutions or payment services organizations. Unfortunately, it will take more than reputation or fingerprint-based email security. These tools won’t catch a spear-phishing email because they’re not known, mass attacks sent from bad IPs. They are one-off, highly personalized messages that are very well crafted, and don’t contain any malicious attachments or phishing links. The trick is to leverage predictive email defense capabilities that establish normal behavior patterns with respect to the people your employees communicate with, so that you can then detect and alert users to even the subtlest of anomalies.