Any information security professional knows that spear-phishing is effective. Cloudmark calls it “The Secret Weapon Behind the Worst Cyber Attacks”, and lists 10 recent major breaches, from Target to OPM, that started with a successful spear-phish.
Recent months have seen a rise in a spear-phish derivative, which we could describe as the CEO fraud phish. Like spear-phishing it uses social engineering to trick CEOs or other senior executives into doing something they should not.
Two examples of CEO frauds come with the recent W-2 spear-phishing scams, and what the FBI calls the Business E-Mail Scam (BEC). For the former, Cloudmark’s Tom Landesman has compiled a list of 55 companies that were taken in by the W-2 attacks, and comments, “It’s likely that even more have been compromised, but have not come forward.”
The W-2 attack forges an email from the CEO to HR or Finance saying, for example, “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.” When the recipient responds with the ‘Reply’ option, the attachments are sent to the attacker.
By its nature, this attack is concentrated in the months preceding the country’s tax season. It has tailed off in the US, but will be back next year.
The BEC fraud uses a similarly forged email, apparently from the CEO or other senior executive, but this time instructing that money be transferred abroad.
One recently publicized example involves a Mattel finance officer sending over $3 million to the Bank of Wenzhou, in China. In January the BBC warned that the “fraude au president” is widespread across France.
In an alert issued this month, the FBI quantified the success of this scam: more than 17,000 victims and $2.3 billion dollars lost between October 2003 and February 2016. There has been a 270% increase in the last year alone.
The FBI advises people instructed to send money out of the company should “Pick up the phone and verify legitimate business partners;” that is, insist on some form of out-of-band verification.
Nevertheless, CEO frauds are even more successful than spear-phishing. There are probably two major reasons: firstly, few companies deliver security awareness training (such as simulated phishing attacks) against their own C-suite; and secondly, many senior executives still don’t believe that security is their personal concern.
The problem for companies is that it is difficult to automate the detection of spear-phishing based on social engineering. Standard phishing can be handled by a combination of IP reputation lists such as that from Spamhaus, and bad domain lists such as that from SURBL – but reputation lists are less effective against individually crafted, well-written targeted attacks.
Nevertheless, algorithms are being developed that will scan emails and make a judgment on whether it is likely to be spear-phishing. Mounil Patel, Vice President, Strategic Field Engagement at Mimecast, describes Impersonation Protect: it “is designed to stop whaling attacks by identifying combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment. It uses new algorithms to measure and compare a range of identifiers, such as specific keywords within the email, to provide a probability score that a target email is either safe or malicious.”