How to Spot a New Type of Spear Phishing Attack
In the every changing world of online threats, a new type of spear phishing attack has emerged.
Have you ever gotten an email in your office asking you to receive money on behalf of someone in distress? These emails are easy to spot as pure SPAM and/or Phishing attempts. Even if you didn’t recognize this as SPAM, you would remember what your mother told you as a kid: “If it seems too good to be true, then it probably is.” Take a look:
From: Hanan Jassim [mailto:email@example.com]
Sent: Wednesday, August 28, 2013 8:20 AM
To: Hanan Jassim
Subject: Dearest One,
Am Mohammed Jassim, with my sister Hanan, we are contacting you from Ivory Coast, but our country of origin is Libya. am 19 of age, my brother Mohammed is 16 years old. How are you and your family please don’t be offended for intruding into your affairs, we know that you maybe very surprise of receiving our mail since we have not meet for the first time but we ask you to open your heart and accept us, Our late father Mr. Jassim Ahmed, deposited the sum of ($7.4 M) in a fax deposit at in Ivory Coast. where he was doing his cocoa business with the government of Ivory Coast,Dorian the time of Mr.Laurent Gbagbo the formal prensident of Ivory Coast,my father planned to invest the money out side our country before the war started in our country, before my father died in the hospital he called I, and my sister informing us about this money he deposited in Ivory Coast for investment purpose. Please we want you to help us receive the money in your account there in your country for invesment there in your country, we shall need your help to invest this money in a good venture because this money is only hope we have in life, we can’t go back to our country LIBYA because of the political crisis which take the life of our Mother. Reply for more Details you mighty need from us and for your commision aswell.
Thanks. Mohammed Jassim and my sister Hanan
As easy as that example might be to spot, well planned and targeted Spear Phishing attacks are not quite as easy to spot and can prove to be costly. The example below is real; names and email domains have been changed to protect anonymity. See if you can spot the differences and how this attempt was made.
From: Jones, Sally [mailto:sjones@companyACBD.com]
Sent: Monday, March 31, 2014 12:07 PM
To: Becky Peters
Subject: Fwd: Wiring Instructions
Process a wire of $124,307.81 to the attached account information. Code it to Professional Services. Send me the confirmation when completed.
———— Forwarded message ————
From: Smith, John
Date: Mar 31, 2014
Subject: Wiring Instructions
Per our conversation, attached is the wiring instructions for the wire. I’ll send the necessary support later. Let me know when done.
With a minimal amount of social engineering, a perpetrator could likely find the name of your company’s CEO, CFO, Controller, Accounts Payable and / or Human Resources Director. In this real-life instance, John is the CEO, Sally is the CFO and Becky is the Controller. Becky has received an email that appears to be forwarded from her direct supervisor, the CFO, at the request of the CEO. Not shown in this blog was the attachment with wiring instructions for the funds, which was also falsified to look like a Vendor Partner of the targeted company. What makes this attack more sophisticated than the first is that perpetrator took the time to do the following:
- Investigate a potential chain of command on the target company which could actually result in the wiring out of money with little or no questions asked.
- Research related companies that it is plausible or likely money would be wired too.
- Lastly, the most sophisticated of this scheme is that the perpetrator also took the time to register a domain name with one letter inversed from the real company domain.
So the first email (lowest in the string) is completely fake. The second email is an actual email received in her corporate inbox by the Controller, Becky. In actuality, the email was not a forwarded email to Becky. Rather, it was a new message (sent from a very similar email domain) meant to look like it was forwarded from her boss, Sally the CFO.
I hope the above examples can give you and your business some ideas on how to spot potential attacks like this. For more information on spotting phishing attacks, click here.