Phishing has long been such a common attack vector that enterprise information security teams have endeavored to...
educate users about the dangers of opening suspicious emails and attachments.
Now, phishers are becoming so adept at crafting compelling lures that one expert has warned education alone is no longer enough to mitigate the most sophisticated phishing attempts.
Case in point: This week advanced threat-detection vendor FireEye Inc. unmasked an attacker group, dubbed FIN4, which has targeted more than 100 organizations since at least mid-2013. According to FireEye's report, FIN4 has largely focused on compromising account credentials for high-profile users who are knowledgeable of corporate mergers and acquisitions, major announcements and other events that have yet to take place, with the suspected goal of using the stolen information to make lucrative plays on the stock market.
A new breed of sophisticated phishing attacks
While it's certainly common for attackers, particularly those backed by nation-states, to target organizations undergoing M&A deals, what sets FIN4 apart is the level of sophistication present in the phishing lures used by the group to bypass enterprise security measures. For one, FIN4's phishing emails show a native-level command of the English language, an aspect that most other phishing attempts lack.
FIN4 is also capable of using targeted language geared toward specific organizations and even individuals that increases the likelihood of eliciting the desired response. For instance, the FireEye report documented a phishing exercise by the group that was modeled as a whistleblower-style email, informing someone about an employee who had allegedly disclosed private business matters on the Web.
Don Jackson, director of threat intelligence antiphishing vendor PhishLabs, based in Charleston, S.C., said that details involved in FIN4's execution of are typical of top-tier "whaling" attacks, those cases when an individual is subjected to spearphishing attempts because they hold valuable information or wield influence within an organization.
In particular, Jackson said that the FIN4 attackers went to great lengths ensuring that the lures used in their phishing schemes would be of interest to particular targets. In certain instances, he noted that the group simply used legitimate documents with malicious Visual Basic for Applications (VBA) macros inserted to glean account credentials, making it that much easier to fool unsuspecting end users.
"The FIN4 attackers obviously demonstrated a great deal of institutional capability, which is knowledge of the terminology and processes, experience with how people and systems interact in the environment into which they are attempting to penetrate, and a specific appreciation of the value of the targeted assets," said Jackson. "If the target is as valuable at it appears, we would expect the lures to be flawless and honed."
FIN4 not the only sophisticated phishers
While the phishing tactics utilized by FIN4 were undoubtedly sophisticated, Jackson also warned enterprises that they are hardly the only attacker outfit to utilize such measures.
For instance, Jackson said that a recent US-CERT advisory highlighted the Dyre/Dyreza banking malware that has been used in recent phishing campaigns. US-CERT said those phishing attempts also varied the lures depending on individual targets, including swapping out attachments, payloads and themes, though the phishers were particularly fond of utilizing a malicious PDF attachment that targeted outdate versions of Adobe's Reader software.
The Dyre malware itself is capable of not only gathering account credentials, but also monitoring enterprise network traffic and bypassing SSL mechanisms in Web browsers. In comparison to Dyre and the remote access Trojans often seen in sophisticated phishing attacks, Jackson said the VBA macros utilized by FIN4 are actually quite rudimentary and may have led to the group's detection.
"The quality of the FIN4 emails reminds me of the email lures used against several large financial institutions and investment firms by the crew behind [Dyre]," said Jackson. "There have also been recent wire invoice scams orchestrated via email by actors that demonstrated similar care in targeting and recon. These actors also have significant institutional capability, but haven't exhibited the same finesse of execution as the FIN4 attacks."
Defending against advanced phishing attacks
As for how enterprise defenses should adapt to mitigate such refined phishing attempts, Jackson said that antiphishing measures are increasingly an "intelligence game," meaning the diverse capabilities, operational sophistication and determination shown by FIN4 and other attacker groups mean enterprises must go beyond user education to prevent compromises.
Jackson said that enterprises should collect data like the artifacts and indicators of compromise noted by FireEye in its report, and that data can be analyzed to determine how the attackers function, whether malware is being used and if so what software is being targeted.
"From there, risk management and security postures can be adapted, targeted individuals can be forewarned," said Jackson, "and enough can be learned about the threat actors to more effectively disrupt the threat."
Need to know more how whaling attacks differ from phishing? Read our WhatIs definition here.