We’re all pretty much used to phishing email messages — the steady stream of mail telling us that we’ve won something from Amazon or Microsoft, or that our bank (or credit card company, or…) needs us to verify all our personal information to keep them from freezing our account. If you pay attention at all, run-of-the-mill phishing attacks are pretty straight-forward to avoid.
Spear-phishing is another matter. A carefully crafted spear-phishing attack using personal information, spoofed to appear to come from a trusted business associate or internal email address, can fool even the most diligent individual. For most of us, spear-phishing is a remote danger because it’s a labor-intensive tactic that tends to be used against high-value individuals who control high-value assets.
For those in war zones or politically troubled regions, though, spear-phishing can be constant threat. Researchers at RiskIQ have identified individuals in Turkey who were the targets of a sophisticated spear-phishing campaign. The mechanism was fairly simple and common — a message that appeared to be from a known address (in this case, the tax collection office) containing an Excel spreadsheet. And it’s that spreadsheet that started the real attack.
The spreadsheet was the host of a RAT — a remote-access trojan — that embedded itself on the victim’s computer. Once that happens, the victim’s computer might as well be sitting on the attacker’s desktop. The RAT used in the Turkish attacks is the same one used in earlier attacks against Asian targets. It’s assumed to have been developed by hackers in China and has been used in a growing number of attacks against political targets.
This series of attacks marks an escalation of spear-phishing as a tool of cyber spies and political operatives. And it has some significant implications for officials, politicians, and political staffers in the U.S. 2018 is a mid-term election year and by now it’s well known that international agencies were involved in the 2016 U.S. elections. It’s a safe bet that there will be more attacks this year and that they will be more sophisticated than those in 2016.
So what are we supposed to do with information like this? Prepare. Pay attention to research reports on new attack methods, new payloads, and the victims who weren’t as prepared as you. Educate your employees on what to look for and (here’s the important thing) turn up the wick on the paranoia level. Assume that every message coming in is from an attacker and act accordingly.
On the one hand, all this paranoia will be a pain and will probably hasten the decline of email as a valuable messaging medium for business. On the other hand, it’s a pain that pales in comparison to seeing embarrassing information leaked to political opponents, knowing that critical business secrets have been stolen, or helping employees and customers recover from stolen PII.