Real-World Spear Phishing, Initiating the Attack and Email Spoofing
By Asaf Cidon, Barracuda Networks
Countless individuals and organizations have unwittingly wired money, sent W2s, and emailed credentials to cyber criminals who were impersonating their boss, colleague, or a trusted customer. Spear phishing attacks can have devastating results for individuals, businesses, and brands, and unfortunately, they work because they are so simple and believable. A successful attack doesn’t require advanced hacking techniques, but rather gathering information about you that’s already posted online and spending five minutes to write a well-crafted email. The attackers can pick up information about their targets from a variety of sources: whether it’s posted on LinkedIn, Facebook, or on the company blog.
Spear phishing is something we’ve become very familiar with at Barracuda, as we have over a decade-long history of studying email-borne threats and the overall cyber threat landscape. Over the last year, we have spent a lot of time researching and analyzing highly-personalized spear phishing attacks.
This led us to build Barracuda Sentinel — the first comprehensive AI solution for real-time spear phishing and cyber fraud defense. In this month’s Threat Spotlight, we take a look at two recent spear phishing attacks that were caught by Barracuda Sentinel, and demonstrate how simple these attacks are to orchestrate.
Real-world spear phishing — examples of CEO fraud and spoofing to gain financial information.
*The two examples below are of real spear phishing attempts; however, they each contain sensitive information so we have changed the names of the people involved and their email addresses to honor their privacy.
In this first message, an email is sent by an attacker who is pretending to be the CEO of the company where the recipient is employed. This is a common tactic used by cyber criminals to appear authoritative in order to provoke a response. If you take a look at the actual message, it’s just a benign note to get the conversation started. The idea here is that the attacker is trying to build just enough trust so that the victim lets down their guard, and ultimately does what the attacker asks.
When we look closely at the sender’s email address, it’s not the address that would typically be used by the CEO. Secondly, the message itself contains language that requests a favor or action — both red flags, and two signals that led Barracuda Sentinel to catch this particular spear phishing attempt.
This spear phishing attempt was stopped by our AI engine because of a different reply-to address, communicating an urgent request, and asking for availability to respond to a special request. It could also be prevented by enforcing DMARC, which prevents attackers from spoofing your domain (more on DMARC below in the “take action” section).
- Spear phishing: In both examples, the attacker sends an email in an attempt to bait the recipient into engaging in dialog, and believing that the attacker is one of their colleagues.
- Impersonation: The attacker is pretending to be the CEO of the company.
- Spoofing: In the second example, we see that the sender’s email address is spoofing the company’s domain.
It’s a numbers game. Not every attempted attack will be a criminal success, but the more attempts that are made, the better chances the attackers have of running off with your money. It takes one successful attack to cause significant financial and reputational harm.
Spear phishing attacks are the most significant emerging security threat, costing companies millions in lost revenue and brand damage. In fact, the FBI reported in 2016 that these attacks have cost companies $5 billion and growing. Traditional security solutions fail to detect them because they are based on social engineering and are highly personalized.
Barracuda Sentinel is the first comprehensive spear phishing attack and cyber fraud prevention service. Delivered as a cloud service, it combines three powerful layers: an artificial intelligence engine that stops impersonation attempts and spear phishing attacks in real time; domain fraud visibility using DMARC authentication to protect against domain spoofing and brand hijacking; and anti-fraud training including simulated attacks for high-risk individuals in the organization. Barracuda Sentinel integrates with most popular communications platforms, such as Office 365, to learn each organization’s unique communications patterns. This messaging intelligence allows us to identify anomalies and stop impersonation attempts with zero impact on network performance.
AI for Real-Time Spear Phishing and Cyber Fraud Defense