A client called the other day to tell me about a highly evolved phishing attempt cast straight at his law firm. Kudos to their employees for not taking the bait.
Here’s how the attack played out:
- First, an employee who regularly handles emails addressed to the firm in general (e.g., “firstname.lastname@example.org”) got a message that appeared to be sent from the file transfer system of one of the firm’s top clients. The brief email stated that a director-level executive at the client company, who was mentioned by name, wanted to make sure they saw the attached file, which contained information they needed. (But the email didn’t say specifically why it was important).
- Before clicking the link, the staff member looked closely at the message and the email address, spotted the fake and alerted the firm’s security team. Emails from file transfer systems tend to have an “automated” look that could make a good cover for a phishing attempt, but fortunately she looked below the surface.
- A few minutes later, the same employee received a companion second message. This one was meant to look like it had been sent via the file transfer system from the director himself. It basically said, “Sorry, that first file I sent was the wrong one. Here’s the correct file.” It looked very official… talk about enticing.
This was by any standard a sophisticated and targeted attack that stood a far greater chance of succeeding than most generic phishing emails. I’ve seen and heard of other “two-hooked” attacks, where one message follows another—but they weren’t this convincing.
The client was concerned about how the hackers could correctly identify both their client and one of the client’s senior executives. Had the law firm or one of its vendors been breached? Was there an insider threat?
I told our client I didn’t think a hacker would need to breach his law firm to create those emails. The amount of ambient data that’s publicly available online to people who know where to look and how to connect the dots is astounding.
Between LinkedIn, Facebook and the law firm’s own website the hackers probably got everything they needed in a few minutes. I’ve done similar snooping myself (all in the line of duty, of course :)). It’s not difficult if you know what you’re doing.
The takeaway is that phishing attacks continue to ramp up and organizations and individuals need to stay vigilant. Keep threats top-of-mind by fostering a “security consciousness” that includes periodic security awareness education. It certainly paid off for our client.
To talk with an expert about what an ideal security awareness education program for your organization would look like, including the results and benefits you could expect, contact Pivot Point Security.