Spear Phishing at a Bank - A Hard Lesson Learned
by Ig0p89
This article is for informational purposes only.
I work at a local community bank. The bank is not a big target for security minded individuals and our presence on the net is minor. We sit in our own little corner of the world and don't bother anyone.
An email was sent from our "HR Director." This is a person of authority and senior management in the bank. The email looked legitimate with the correct name, phone extension, and bank logo. All the words were also spelled correctly, as they generally are not with this type of attack.
The body of the email was regarding an updated Anti-Virus (AV) program.
We have all seen this, but the target was clueless. The message was written in lay terms, as the HR Director would write. To the average bank employee, this looked perfectly normal and not out of the ordinary. After all, with all of the viruses that are present, updates are quite regular and normal. An AVP in the mortgage lending area with a very happy pointer finger clicked on this. Now the story really begins.
This email was not the only one sent to the bank that evening - obviously. It was not a single incident - this was actually much larger. The email was sent to several people in the bank in different departments, not just the mortgage area. The email - although copies of the same email were sent to a number of people - was also selective as to who it was sent to. Thankfully, there was only the one person who was lacking common sense. The direct effect of this was two hours of an IT person, two hours which were greatly needed elsewhere.
There are several reasons she should have been tipped off. First, the HR department does not send out updates for AV programs. For brevity's sake, duh! In the 20+ years of her experience in the bank, each person has never, repeat, never had to update their AV. It is all done through the IT department. And last but not least, each system does not have their own individual AV on their own hard drive. Again, duh!
Usually we see the phishing technique at the bank. The typical ones say that you have a UPS shipment waiting and you have to click on "Here" or the shipment will be returned today, or a long lost friend is emailing you and you need to click "Here" for her personal and contact information, etc.
This was a bit more interesting. The sender put more time than the normal amount into this specific attack. This was more of a case of spear phishing. The emails were from the HR Director with her spoofed address. This was not from a random person in the bank nor was it a fake employee email. The link in the email was also different for each email sent to the bank employees. The links did not point to the same website. For instance, if four bank employees received the emails, each link in the emails was to a different website.
Due to the formatting, these undoubtedly came from the same person or entity. What is curious is how they could have done this. After all, I (and by extension you) might as well learn from this, versus merely shaking my head and wondering what this employee does instead of thinking.
So how did they do it?
I can only give a general theory. I truly and unfortunately (I would like to get more ideas from them) do not know who this is. On the bank's website, there are certain tabs. One tab is "About Us/Annual Report."
From this tab, it is only one quick click to download a full copy of the bank's annual report. No, the bank is not publicly traded. Yes, I know.
The table of contents lists what page all the employees are listed at. The page, once you turn to it virtually, shows all of the employees' full names and also how many years of service they have to the bank. The annual report does not show the employee email addresses and the email format.
This could be easily gathered via getting the HR Director's name on the website (this is listed so people may send in their resumes) and also via a generic social engineering request (calling because you need to send a lender an email but you lost his card; can get the lender's name from the annual report freely available on the website). From here the next step is pretty easy with putting the email together and emailing it.
The dangers to the bank are more far-reaching than I care to think about. The email addresses are out there now for future phishing and spear phishing attacks. The person or entity knows this will work. As one of my t-shirts says, "There is no patch for stupid." They know the executive management of the bank due to the bank generously leaving this information for anyone to see.
The next time maybe the email will be from the president/CEO. They may send an email to the president of another bank with a file that needs to be opened today, which has malicious code. The link clicked on may also open the bank to a breach of confidential information. Use your imagination as to what types of information and data an enterprising person could get from a bank!
There are a number of lessons hopefully learned - but probably not. There will always be those who refuse to learn from the past and prefer to hold onto old habits. The bank's staff needs to be wary of what information is put out there. The bank, especially a community bank, wants to show itself as being friendly and available to the clients. However, this does need to be balanced, due to the bank not wanting to give out too much information.
There also needs to be more continued training. Within the two months prior to this occurrence, there was a training session on what not to do. One topic was not clicking on strange links. This did not quite sink in, as the resulting issue showed.
And the beat goes on.