Real-world spear phishing cautionary tales

October 14, 2020

Imagine your bank telling you that your online account was hacked and that you had to reset your access credentials. You click on the link provided in the email, and it leads you to a spoofed password reset page. Without checking if the email actually came from your bank, you go ahead and enter your current credentials to reset your password. In reality, you just handed over your login information to a cybercriminal.

This type of phishing attempt works because banks and other large enterprises have a lot of customers, which raises the probability that a sizable number of people will take the bait.

A variant of this email-based attack is spear phishing. It is called such because unlike with regular phishing in which a wide net is cast, spear phishing is more targeted. That is, the attacker poses as a C-level executive of a company, an organization that the company does business with, or any party that the would-be victims have or will have a strong familiarity or professional relationship with. This familiarity or inherent trust makes people drop their defenses and makes it easier for cybercriminals to achieve their goal, which is usually to access guarded information or steal money from organizations.

Spear phishing is not new, but people still keep falling for it because of lack of awareness of its existence, or of how risky it is for your organization’s data security. To help you and your team better understand the very real threat that is spear phishing, read and share these real-life cautionary tales.

Convincing invitations to bid in an energy project

By the end of the first quarter of 2020, hackers posed as agents from Egyptian state oil company Engineering for Petroleum and Process Industries (Enppi) and sent fake requests for quotations to approximately 150 multinational oil and gas companies. Written in near-perfect English, the invitations to submit bids for supplying materials and supplies were for an actual ongoing gas venture. They used terms that were specific to the industry, such as the names of the equipment they were seeking supplies for.

Attached to the spear phishing emails were formal requests for proposal and bidding requirements, but these attachments actually had the “Agent Tesla” spyware Trojan hiding in them. Downloading the attachment would infect the user’s machine to steal information in the following ways:

  • Clipboard content and keystroke capture
  • Access credential extraction (also known as credential dumping)
  • Screenshots

When energy companies are flush with cash, hackers launch ransomware at them to siphon off some of that money. However, this was a time when the Organization of Petroleum Exporting Countries (OPEC) cut fossil fuel production due to the COVID-19 pandemic, dramatically reducing demand and producing a glut in supply. The price of oil dropped so precipitously that distributors went so far as to pay firms to take some of their barrels away.

This context has led industry experts to believe that the spear phishing campaign was an attempt at gaining information on how oil companies and countries were going to respond to the OPEC cut. If the hackers were able to discern the players’ strategies, parties who were backing the hackers — presumably parties with interests in the fossil fuel industry — could have a jump on the market.

The primary goal of spear phishers is to gain access to closely guarded information, such as intellectual property, corporate strategies, or access to, technical knowledge of, and controls for operations systems.

Nuclear power plant job applications

Spear phishers have been targeting the energy industry for quite some time now. Back in 2017, hackers sent fake résumés of control engineering job applicants to nuclear power producers such as the Wolf Creek Nuclear Operating Corporation in Kansas. These Microsoft Word documents contained Trojans that could:

  • Steal user credentials of the downloader’s computer as well as of other machines that are connected to the same network.
  • Let the hackers infect websites that the victim frequents. Known as a watering hole attack, this presumes that the victim’s coworkers visit the site often as well, making them prone to carry malware back to their own computers.
  • Redirect victim’s traffic to the hacker’s machine.

The primary goal of spear phishers is to gain access to closely guarded information, such as intellectual property, corporate strategies, or access to, technical knowledge of, and controls for operations systems.

According to cybersecurity experts, the hackers appeared to be mapping out the network infrastructures of its targets. However, officials at Wolf Creek maintained that their corporate network was completely separate from the network used for power plant operations.

Security officials at the Department of Homeland Security surmised that the hackers were either planning to steal technological secrets, cripple the nation’s power supply, or cause a nuclear disaster. Thankfully, nothing has come out of the spear-phishing attacks — yet.

Got $522,000 to spare?

Our illustrations so far have been of attempts that appear to have ultimately failed at their objectives, but it’s not hard to imagine what could have happened if they had succeeded — especially given our next example.

Last Oct. 8, 2020, town officials of Franklin, Massachusetts announced that they lost a whopping $522,000 to spear phishers. They said the money came from Franklin’s non-general fund account and was “misdirected to a third party.”

In case you didn’t know:

Unlike general funds that are used to pay for the government’s operating expenses, employee salaries, and public services, non-general funds are earmarked by law for particular purposes. To illustrate, fuel and motor vehicle sales taxes may be allocated for public transportation programs.

Though no other details of the crime were shared, the mention of spear phishing most likely means that cybercriminals used email to pose as a party that the officials knew and trusted. Often, thieves would ask that a particular invoice be paid to a new account. In Franklin’s case, whatever the phishing bait was, the government officials bit it.

Town Administrator Jamie Hellen maintained that their software systems, official accounts, and citizens’ personal information were not compromised. This is not surprising, given that phishers don’t necessarily hack IT systems. Rather, they “hack” people — and it appears that, by doing so, they can swipe over half a million dollars of taxpayers’ money in one go. Can your business survive losing that much money that quickly?

The spear phishing cases above show how people are susceptible to being duped by well-crafted emails. This is why your organization needs something that can catch such trickery, namely our AI-powered email security software. Try a FREE demo today.

Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus