Real-World Spear Phishing, Initiating the Attack and Email Spoofing


By Asaf Cidon, Barracuda Networks

Countless individuals and organizations have unwittingly wired money, sent W2s, and emailed credentials to cyber criminals who were impersonating their boss, colleague, or a trusted customer. Spear phishing attacks can have devastating results for individuals, businesses, and brands, and unfortunately, they work because they are so simple and believable. A successful attack doesn’t require advanced hacking techniques, but rather gathering information about you that’s already posted online and spending five minutes to write a well-crafted email. The attackers can pick up information about their targets from a variety of sources: whether it’s posted on LinkedIn, Facebook, or on the company blog.

Spear phishing is something we’ve become very familiar with at Barracuda, as we have over a decade-long history of studying email-borne threats and the overall cyber threat landscape. Over the last year, we have spent a lot of time researching and analyzing highly-personalized spear phishing attacks.

This led us to build Barracuda Sentinel — the first comprehensive AI solution for real-time spear phishing and cyber fraud defense. In this month’s Threat Spotlight, we take a look at two recent spear phishing attacks that were caught by Barracuda Sentinel, and demonstrate how simple these attacks are to orchestrate.

Highlighted Threat:

Real-world spear phishing — examples of CEO fraud and spoofing to gain financial information.

The Details:

*The two examples below are of real spear phishing attempts; however, they each contain sensitive information so we have changed the names of the people involved and their email addresses to honor their privacy.

In this first message, an email is sent by an attacker who is pretending to be the CEO of the company where the recipient is employed. This is a common tactic used by cyber criminals to appear authoritative in order to provoke a response. If you take a look at the actual message, it’s just a benign note to get the conversation started. The idea here is that the attacker is trying to build just enough trust so that the victim lets down their guard, and ultimately does what the attacker asks.

When we look closely at the sender’s email address, it’s not the address that would typically be used by the CEO. Secondly, the message itself contains language that requests a favor or action — both red flags, and two signals that led Barracuda Sentinel to catch this particular spear phishing attempt.

In the second message, the content contained in the body of the email is very direct with the attacker proclaiming that they are going to need financial information. Two things stand out in this message: the sender’s email address is spoofing the company’s domain, and the reply-to address is different than the one used to send the message. The attacker is hoping that the recipient falls for the attempt and ultimately provides the necessary financial information needed for them to steal money.

This spear phishing attempt was stopped by our AI engine because of a different reply-to address, communicating an urgent request, and asking for availability to respond to a special request. It could also be prevented by enforcing DMARC, which prevents attackers from spoofing your domain (more on DMARC below in the “take action” section).

But what would happen if these attacks weren’t caught, and the recipients took the bait? In each of these instances, it’s pretty clear that the attacker is looking for angles to persuade the recipient into sending money. If we look back at the first example, the benign dialog could have continued through a few back-and-forth emails until the attacker felt like they had enough trust to ask for a payment to be made. In the second example, the message is more straightforward and there’s no question what the attacker is looking for — money. Regardless, both scenarios are good examples of what to look out for in potential spear phishing attempts.

To recap, the techniques used in these attacks are:

  • Spear phishing: In both examples, the attacker sends an email in an attempt to bait the recipient into engaging in dialog, and believing that the attacker is one of their colleagues.
  • Impersonation: The attacker is pretending to be the CEO of the company.
  • Spoofing: In the second example, we see that the sender’s email address is spoofing the company’s domain.

It’s a numbers game. Not every attempted attack will be a criminal success, but the more attempts that are made, the better chances the attackers have of running off with your money. It takes one successful attack to cause significant financial and reputational harm.

Take Action:

Spear phishing attacks are the most significant emerging security threat, costing companies millions in lost revenue and brand damage. In fact, the FBI reported in 2016 that these attacks have cost companies $5 billion and growing. Traditional security solutions fail to detect them because they are based on social engineering and are highly personalized.

Barracuda Sentinel is the first comprehensive spear phishing attack and cyber fraud prevention service. Delivered as a cloud service, it combines three powerful layers: an artificial intelligence engine that stops impersonation attempts and spear phishing attacks in real time; domain fraud visibility using DMARC authentication to protect against domain spoofing and brand hijacking; and anti-fraud training including simulated attacks for high-risk individuals in the organization. Barracuda Sentinel integrates with most popular communications platforms, such as Office 365, to learn each organization’s unique communications patterns. This messaging intelligence allows us to identify anomalies and stop impersonation attempts with zero impact on network performance.


AI for Real-Time Spear Phishing and Cyber Fraud Defense

There are no comments

Add yours