As many as 400 organisations across various industries, including manufacturing, oil and gas, metallurgy, engineering, energy, construction, mining, and logistics, are being targeted by a phishing campaign that involves the use of deceptive e-mails to lure employees into sending money to hackers' accounts.
A report from Kaspersky Lab has revealed how hackers are leveraging new techniques to disguise fraudulent e-mails as commercial offers and financial documents to make employees at cash-rich organisations click on such e-mails and to download malicious attachments.
"The main distinguishing feature of these attacks is the high level of preparation, in that the scam artists address an employee by first and last name, they know the position the person occupies and the company’s area of focus, and all the information on the source of the offer looks legitimate," the security firm noted.
Fraudsters spending more time to understand victims first
What this means is that instead of using fancy hacking tools or ransomware, hackers are now spending a great deal of them familiarising themselves with the hierarchy of target organisations, get to know more about individual executives, understand the businesses such organisations are involved in, and then drafting fraudulent e-mails that appear as genuine as possible.
For instance, a phishing e-mail was sent to a company executive, informing him that his company had been shortlisted to participate in a bid, and that the executive had to download a legitimate software to view the tender details. While the software, named Seldon 1.7, was indeed legitimate, fraudsters also sneaked in a malware into the executive's device along with the software.
Similarly, fraudsters are also sending malicious PDFs via e-mail to organisations and mentioning details of real companies with real tax IDs in the body of e-mails to lure employees into downloading attachments. They are also using legitimate remote administration applications such as TeamViewer and Remote Manipulator System (RMS) to gain access to devices and to scan for information on current purchases, as well as financial and accounting software.
"Malefactors are in theory capable of more than just stealing company funds. They can obtain confidential information about the firm, its clients, and partners; spy on staff; record audio and video of whatever is going on around the infected computer; or use a compromised system for further attacks, including DDoS.
"This phishing campaign again demonstrates that even legitimate tools can be dangerous. Protection solutions are not equal in taking this fact into account. Even experienced employees can fall prey to the combination of a carefully thought out phishing attack with such software," Kaspersky Lab added.
Yet another instance of hackers using legitimate software as a cover to carry out phishing attacks took place last year when hackers breached one of DocuSign's servers, stole customer e-mail addresses, and then sent phishing e-mails to such customers, asking them to click on links containing malicious software.
After the phishing campaign began, DocuSign began advising customers not to open e-mails with subject lines like “Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature” and “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature”.
Is there a solution to the phishing problem?
"No matter how much cybersecurity solutions advance, the human element remains the main vulnerability and often it’s simply because people are trying to be thorough and perform their work duties to the best of their abilities. This attack shows why phishing is such a major worry for cybersecurity professionals, and why that concern must reach up to the boardroom," says Robert Capps, vice president at NuData Security.
"Educating workers and consumers is, of course, crucial, but relying solely on education is not enough – bad actors have the technical skills, data access, and time to overcome and eventually circumvent superb defensive training.
"Part of the solution is to understand that every organisation needs to take a more serious, advanced, layered approach to authenticating their staff members and users rather than relying on decades-old password schemes. This need to evolve also applies to the online companies and institutions where the stolen credentials are later used to make a profit," he adds.
Last year, a report from KnowBe4, a provider of security awareness training and phishing simulation, revealed how hackers were gaining access to corporate networks by exploiting the last line of defence: humans.
The firm has listed out the top ten phishing email subject lines that hackers used to gain access to corporate networks. These subject lines not only bypassed existing corporate filters but also encouraged employees to open emails and click on malicious links which opened the doors to harmful malware capable of gaining access to and controlling corporate networks.
You can read the list of list of the top ten most-clicked phishing email subject lines compiled by KnowBe4 here.