Researchers at Symantec have reported a wave of attacks that take an interesting approach to social engineering – a telephone call.
According to Symantec, the victim will receive a phone call from the attacker who impersonates an employee or business associate of the organization. The caller spoke in French, and asked the victim to process an invoice they were able to receive in an email.
“The email typically contains a malicious link or an attachment, which is actually a variant of W32.Shadesrat, a Remote Access Trojan (RAT),” blogged Symantec’s Security Response Team. “There is evidence to suggest that these attacks began as early as February 2013, however, it was only more recently in April that phone calls were being placed prior to sending the victim the phishing email.”
The attacks are currently targeting only French organizations, but have also included subsidiaries that operate outside of France, the firm found.
Just recently, the Internet Crime Complaint Center (IC3) issued an advisory about phishing attacks targeting consumers that begins with a phone call directing the person to log on to a phishing site. The automated calls claim to be from the victim’s telecommunication carrier. Once on the site, the user is offered what appears to be a billing credit, discount or prize ranging from $300 to $500.
“The phishing site is a replica of one of the telecommunication carrier’s sites and requests the victims’ log-in credentials and the last four digits of their Social Security numbers,” according to the IC3, which is a partnership between the FBI and the National White Collar Crime Center. “Once victims enter their information, they are redirected to the telecommunication carrier’s actual website. The subject then makes changes to the customer’s account.”
In the case of the attacks reported by Symantec, the victims tend to be accountants or employees working within the financial department of the targeted organizations. This may not be too much of a surprise for some. According to Symantec’s latest Internet Security Threat Report, the percentage of targeted attacks focused on chief executive or board level employees fell from 25 percent in 2011 to 17 percent in 2012. The most targeted role belonged to employees in the research and development area, who were hit with 27 percent of attacks as opposed to just nine percent in 2011. The next most targeted group was the sales department, which saw 24 percent of attacks in 2012 compared to 12 percent in 2011.
Since the handling of invoices is something such employees would do on a regular basis, the lure is potentially “quite convincing,” Symantec said.
“It appears that the attacker’s motivation here is purely financial,” according to Symantec. “Targeting employees who work with company finances likely provides access to sensitive company account information. These employees may also have the authority to facilitate transactions on behalf of the organization; a valuable target if the attacker gains access to secure certificates that are required for online transactions or confidential bank account information. “
These attacks are continuing to this day and organizations should be aware of these increasingly sophisticated social-engineering attacks, Symantec added.
“The attacker may have limited information, so asking additional questions on a call may help to determine the legitimacy of the request,” the team warned. “Organizations also need to be aware that personally identifiable employee information that exists outside of your enterprise, even in the form of an invoice, can be used against you if a business associate become compromised.”