Europol has released a new cybersecurity report, this time specifically on spear phishing. Yes, spear phishing scams are multiplying. By the way, spear phishing is defined as a targeted phishing scam. That is, it targets specific people within a company. The goal is to steal confidential information or distribute malware, such as ransomware.
In the report "Spear Phishing, a Law Enforcement and Cross-Industry Perspective", Europol says that "spear phishing is still one of the most common and most dangerous attack vectors seen by both law enforcement and industry".
The European Agency document is the result of a partnership involving more than 70 companies and organizations from different areas, from financial institutions to information security companies. In it, Europol highlights the concern and increase of spear phishing scams, defining the attack operation modes, giving security recommendations and citing cases as an example.
Carbanak and Cobalt malware
Speaking of examples, the document begins with the story of the arrest in 2018 of a cybercriminal group leader responsible for spear phishing scams using Carbanak and Cobalt malware. In recent years, the group has caused estimated losses of more than EUR 1 billion. Their way of acting was well defined.
“The group targeted ATM networks and financial transfers around the world by sending spear phishing emails with malicious attachments to bank employees”, explains Europol.
After machines were infected with malware, criminals stole money in 3 ways: money transfer, inflating account balances and controlling ATMs. Then, to launder the money, avoiding tracking, the stolen amounts were converted into cryptocurrencies.
Phishing: untargeted and targeted attacks
According to the report, about 65% of cybercriminal groups use spear phishing as a way to hack businesses and organizations. The document also points out that phishing is responsible for about 32% of breaches and is involved in 78% of cyberespionage incidents. In addition, 48% of the malicious files used in email phishing scams are Office files.
“Phishing can be the vector for fraud, extortion, espionage or other malicious cyberattacks. It is an attack with a variety of sophistication and purpose used by malicious actors ranging from script kiddies and fraudsters to serious organised criminal groups and nation states”, says Europol.
The agency also claims that phishing attacks are becoming increasingly sophisticated. Worse, they have been marketed through ready-made phishing kits, which makes them accessible for any cybercriminal, including those without a technical background.
In the report, there is a distinction between 2 types of phishing.
1. Untargeted phishing campaigns
Untargeted phishing campaigns are mass attacks that “aim to reach as broad an audience as possible with the goal of tricking recipients into clicking a link, opening a malicious attachment, disclosing sensitive information or transferring funds”.
2. Targeted spear phishing attacks
As its name suggests, targeted spear phishing attacks are focused campaigns that use a lot of social engineering techniques. “A great deal of knowledge about the targets (and target environments) makes social engineering highly effective and means that a smaller number of attacks can lead to a much greater damage overall”.
How spear phishing scams work
The success of spear phishing scams is directly linked to the human factor. That is, the cybercriminal must fool at least one employee of the company for the attack to succeed. It means that the more information he has about the victim, the company, employees, partners and customers, the better. This is why social engineering is so present in spear phishing cases.
Europol explains that there are, basically, 2 ways for a company to be hacked through phishing attacks. The first is by receiving, for example, a phishing email from an external domain. The second is an internal infection, meaning a phishing email is sent from an address that belongs to the organization. These cases, of course, are the most complex and difficult to detect.
BEC (Business Email Compromise)
BEC scams are examples of attacks sent from within the company itself. In most cases, attackers gain access to an employee's email account and use it for spear phishing scams.
“BEC is often aimed at convincing employees to transfer large sums of money to the criminal’s bank account, making use of the fact that an email coming from a trusted address – in many cases from a high-ranking staff member, such as the CEO – are typically met with little scepticism and significant trust. BEC has also been used to passively monitor an organisation’s activity for the purposes of intelligence gathering”, explains Europol.
Phishing features and how to identify fraud
The agency says that the most common phishing vector is email. And these messages often contain malicious URLs and files. In addition, they have other features, such as display name spoofing, imitation of legitimate email addresses, hidden links in text and images, and a sense of urgency. Cybercriminals will do their best to trick the victim into thinking it is a legitimate message.
According to the agency (and also the Gatefy team), the best defense against phishing scams involves the use of solutions that detect and block such threats, such as email security software. But not only that. It's also important to invest in security awareness. That is, employees need to acknowledge scams and report them.
Spear phishing report
If you would like to check out the full report, click here.