Targeted Phishing: How to Avoid the Hook
As one of the most common cyber scams on the planet, mass-distributed phishing is the sending of legitimate-looking emails to trick people into divulging personal information and opening files embedded with malware. Run-of-the-mill phishing attacks generally work on sheer scale and volume. Cyber criminals send out a large number of emails that impersonate big brands that most people will be familiar with. They bank on at least a small percentage of the recipients happening to be customers, and on those customers being fooled into clicking on a fraudulent link or providing account details to the threat actor.
Sometimes referred to as the ‘spray-and-pray’ approach, these mass-mailed phishing campaigns can reap benefits for cybercriminals even if only a tiny percentage of the many phishing messages sent manage to hit their target. More than 3.4 billion fake emails are sent worldwide each day, of which a large percentage are driven by indiscriminate mass phishing campaigns. If even half a percentage point of that number hit their targets, that still represents tens of millions of phishing victims each day.
Studies indicate that a far higher percentage of business users are prone to clicking on phishing links, with latest figures showing that an average of 37.9% of users fall for phishing tactics.
Why Cybercriminals Prefer Targeted Phishing
Nevertheless, phishing criminals see themselves as businesspeople, even if that business is illegal. They’re always seeking ways to maximize their profits, and with phishing, they know they can do that by better tailoring the email lure to resonate with the intended recipient.
For example, if the fake email is meant to trick an Office 365 user into entering their account details into a fake Microsoft login site, then profitable criminals know they’ll have a higher success rate if they only send phishing emails to registered Office 365 users.
Attackers are increasingly zooming the scope in on more and more precise targets in the hope of scoring bigger profits from a smaller number of victims. Targeted phishing attacks like these either limit their prey to particular groups of people or, in the case of spearphishing, attackers may go after specific individuals.
Not only do targeted attacks make it easier to tailor a lure for victims and make it look more authentic and convincing, but they can also home in on higher-value targets. With spearphishing, attackers can focus on compromising specific business-critical machines or gaining access to higher value business accounts that will score the criminal a larger payday at the end of the attack.
One particular subclass of spearphishing attacks has hit businesses especially hard in recent years. Called business email compromise (BEC), this is a slightly more complicated fraud than simple credential harvesting, in that the goal is to trick someone in charge of a financial account to change bank details to favor the attacker. BEC usually involves the target being tricked into wiring the criminal large sums of money under false pretexts. For example, a BEC spearphisher may pose as a supplier interested in changing their banking details with a well-targeted email sent to a company’s controller.
Targeted attacks like these take considerably more reconnaissance, social engineering sophistication in the impersonation, and technical agility by the attacker. But that added work can often net the bad guys hundreds of thousands of dollars to millions of dollars in a single stroke. And according to the FBI, BECs alone cost organizations $1.78 billion in 2019.
Case Study: How Targeted Phishing Works
Targeted phishing is particularly favored among sophisticated hacking groups that have the resources and technical wherewithal to carry out more complicated attacks. For example, one such group BlackBerry has been tracking has established a years-long track record of targeted phishing success through some very advanced techniques and infrastructure.
Dubbed BAHAMUT, the history and tradecraft of this group was recently detailed in a comprehensive threat report written by the BlackBerry® Research & Intelligence Team. Viewed as a case study on phishing (among many other nefarious techniques), BAHAMUT’s activity demonstrates that typically the groundwork for targeted phishing is laid out by the criminals through the following measures:
Deliberate Reconnaissance Work: Through analysis of the threat actor’s phishing behavior, BlackBerry observed that BAHAMUT was generally in possession of a great deal of detailed information about their targets prior to phishing them. This was clearly the result of a concerted and robust reconnaissance operation prior to the phish.
In one example, when BAHAMUT was targeting Middle Eastern government officials and journalists, the group already knew the targets’ personal email addresses, and usually avoided phishing attempts directed against their corporate or government email accounts.
Convincing Fake Sites: A lot of the early information gathering by BAHAMUT was done by using a range of different painstakingly crafted fake websites. This includes fake login sites, but also fake news sites and fake social profiles, to fashion “a convincing veneer of legitimacy,” serve up malware, and provide back-end infrastructure for phishing campaigns.
For instance, BlackBerry observed BAHAMUT-controlled, fake social media profiles are used to build credibility with journalists as well as to engage with targets, directing them to assets that share the same network fingerprint. BlackBerry also identified nearly a dozen “empty” websites that borrowed the majority of their code from elsewhere on the Internet and did not appear to be used for anything at the time of discovery.
Robust and Dynamic Infrastructure: While monitoring BAHAMUT’s operations over the past year, BlackBerry watched new phishing infrastructure spring up weekly. Just as other researchers previously observed, many of these highly targeted spear-phishing operations lasted anywhere from a few hours to a few months, depending on the domain and success rates. BlackBerry researchers wrote that “this embrace of ever-fleeting infrastructure makes real-time detection all but impossible.”
Preventing Targeted Phishing Attacks
As attackers like the BAHAMUT threat group become ever more sophisticated, it becomes increasingly difficult for everyday users to spot targeted phishing messages and spearphishing attempts. This means that phishing defense must involve strong partnership and action both at the employee and employer level.
Tips for Employees
However, employees can do their part with the usual security fundamentals. That includes ensuring that all of their devices are protected by security software, and enabling auto-updates to ensure that phishing attackers can’t exploit known, fixable vulnerabilities.
Additionally, protecting accounts with multi-factor authentication (MFA) can go a long way toward protecting account takeover when passwords are stolen.
Tips for Employers
Meanwhile, employers can help their users bolster their phishing awareness through regular employee training that includes elements of phishing simulation that gives users a flavor for the types of lures that attackers are commonly using. In addition, employers should be arming their users with a full slate of endpoint security controls for both corporate and employee-owned devices.
Finally, organizations can help protect their brands from phishing impersonation by utilizing DMARC authentication to prevent their domains from being spoofed and used against their employees and customers.