Transcript:
I know this podcast usually deals in fictions, but everything I’m about to detail is possible, and most of it, I can assure you, is currently being done. I tell you this only so that you are aware that I know enough to be honestly afraid of a very concrete thing.
I am afraid of hacking. Specifically, I’m afraid of Spear Phishing. That’s fishing with a P.H. I think it’s kind of a stupid term, but it’s an easy shorthand. I’ll define it.
Normal P.H. phishing is best exemplified by the Emails you get, asking you to change a password to a credit card that you may or may not have, or for your Email account, or informing you of the distant relative in Nigeria who wanted to wire you money. Years ago, they were comedic-ly bad. Filled with typos, poorly formatted, and they were generally dumb ideas to begin with. The Emails sent you to sites that wouldn’t fool anyone, and when you’d hear about someone falling for it and losing thousands, you’d think how could anyone be that stupid? These phishing attempts have gotten better. If they can find a name to tie to your Email address, and lists are easy to find and buy on the gray market, it’ll be personalized to you. The websites the emails link out to look correct, and the grammar issues have all but disappeared. The big mail carriers and most spam filters are good at catching these attempts, but when one gets through, it takes a wary diligence to not fall for it.
The thing about Spear Phishing is that it takes the customization to a whole new level. I’ve worked with clients that have been targets of this, and I’ve seen all the tactics I’m about to describe. Instead of targeting everyone that they’ve pulled out of a spreadsheet and hoping for a bite, to use the fishing metaphor, the spear phishermen do their research. They usually target a finance officer, or someone 2 or 3 down from the top executive. A person they know should have the ability to send a wire. Here’s a fun fact for you – it’s easy to change the “Reply-To” field, and make it seem like the person sending the message is someone else they work with, and if you hit reply, it’ll go to the correct person, so it seems legitimate. Usually, the person they mimic is the CEO or another superior, and the tone they employ discourages verification. The Email comes across as a mildly irate email from your boss telling you to send an approved wire immediately. If you expand out the details, it’s obvious that it came from someone other than the person that’s being portrayed. You’ll see the scammer’s Email address, laid plain.
But, it can get more complicated than that. The phisherman can purchase a domain that nearly matches the would-be victim’s. Example: your URL is summer.com – S U M M E R, they would buy one that is spelled S U M N N E R. The two n’s, when you’re reading it quickly, look like a single M. Lowercase L’s become I’s, B’s turn to D’s. I’ve seen O followed by L become a D, and when everything is lowercase, your eyes simply do not see it, even when you’re diligent. And when this is the case, the Phisherman really does control the Email address you respond to.
It can get more insidious. I have seen an organization infiltrated. This is what happened. The phisherman found the company’s website, which handily had the names, positions, and email addresses of everyone on their staff. They targeted multiple employees who would be in a position to request and make a wire transfer. They sent these upper management employees an Email purporting to be from their cloud email hosting service, saying it was time to change their password. The link the employees followed took them to a webpage that was convincing enough that the employees who fell for it entered their old passwords and, quote-unquote, made a new one. This website recorded their Email address and password combination. Since nearly everyone at the organization uses their phones or applications with stored passwords, the employees didn’t enter their password with any regularity, and didn’t notice that it was odd that they weren’t prompted to change it elsewhere. So, the phishermen now had access to multiple employees’ Email accounts, which included all of their historical email. In cases like the Sony hack or the DNC’s, the treasure the phishermen were after was the email itself. In this case, it was the ability to send emails out from the account that were indistinguishable from the actual individual’s. The phishermen didn’t rush – they did their research and crafted expertly formed requests. The Emails they sent out as our victim had a lot of things going for them – the email signature matched. A common tell is when it doesn’t. The font and color choices matches as well. Even the tone of the writing was close enough. They’d actually gone through the individual’s history and found the kinds of repeated transactions that wouldn’t draw attention. The phisherman even concocted an email thread between other individuals within the company talking about it, so that it looked like it’d passed by a large number of eyes before it was forwarded on to our mark, just asking the recipient to process the transfer. It was disturbingly normal, and that was the purpose – just a regular transaction, sent at the beginning of the work day. As you’d expect, however, the routing number didn’t belong to the client – it directed the cash out of the country. The phisherman even did their best to cover their tracks the day they sent the request. They also created a rule within Outlook so that any Email sent to the victim would automatically get filtered into the deleted mail folder, where the phisherman could read it before transferring it into the inbox and marking it as unread, or responding as our victim. They did their best to be invisible. But think about it for a second — there was someone else in the world, probably nervous and excited, reading this employee’s email as it came in, and probably watching their bank account waiting for the wire to show up.
It was smart, thoroughly researched plan. It was so smart it only failed because the account they’d chosen to pull the money from didn’t have enough money to cover the wire. It was six figures, and that wasn’t an unreasonable sounding request for this organization. Six figures is certainly enough of an incentive to go through this level of commitment and deception. In further research, I can tell you the phisherman also sent out email to other companies my client had done work with, requesting wire transfers from them as well, but they were met with the appropriate skepticism. I think those were hail marys, sent after the first attempt failed. In total, I almost admire the intricacy.
For the companies I’ve assisted in untangling these phishing attempts, the benefit is that they are finally open to using mult-factor authentication and have usually changed the policies to match the recommendations I started making years ago, when the attempts were much less sophisticated. But often the diligence grows lax over time, and their frustration with the extra measures means it doesn’t always continue.
In my last few years in the industry, I’m aware of a half-dozen attempts on the companies I’ve worked with. I will tell you that one was successful, though much smaller than what I’ve detailed here. Most of them have been handed off to the FBI, but that is up to the discretion of the victim. I’m not sure what happens to them after that. But all I can think is that I’ve seen the phishermen fund themselves for another year to take their time with the research required to successfully spear phish. Or maybe they fund themselves and a terrorist organization. I really don’t know, and I’m not at liberty to tell you the additional sparse details that I do know.
Okay, here’s where the speculation starts. The Sony and DNC hacks were spear phishing operations largely designed to embarrass, discredit, and fill the organizations with uncertainty and fear. The ones I’ve seen are about simply making money. But, what if their purpose was instead to gain influence? Imagine this – some organization uses all of these techniques to hijack an account of a Congressman’s assistant. The phisherman might not even use the victim’s Email, but instead, simply put someone else in their organization on the congressmen’s calendar, or delete the appointments of their rivals. The congressman and staff have enough going on, that it wouldn’t be that odd for a meeting with a foreign lobbyist no one really remembers making gets scheduled. This is especially true if it’s about something that mostly matches the congressman’s current stance. They could use the access to just push their agenda slightly.
It gets scarier. Imagine that the congressman is also compromised. His assistant gets an Email asking for the meeting to be made, with a reasonable Email thread behind it that includes other, mostly reasonable information. Or, the phisherman could send out email to individuals in the same committee as our victim, pushing for a specific vote or consideration of a bill that’s on the table. Or an alteration to that bill to change some quote-unquote unclear wording, that the phisherman may have had a hand in crafting. It only gets scarier. Our phishermen could use Adobe’s VoCo, or some similar software, to emulate a congressman’s voice saying what they want him to say just by utilizing the audio delivered on C-SPAN to build their library. It’d be especially easy to do with politicians who’ve had more time in the media. Then, the phishermen could find another congressman’s phone number, and by looking at a shared calendar, know when he won’t be available to answer, and use that time to leave him a voicemail, emphasizing the email the phisherman had already sent. It’d be some convincing verification across multiple forms of communication.
Because, even compared to hundreds of thousands or even millions of dollars, influence could matter so much more. Maybe our phishermen’s country wants a trade deal, or sanctions lifted. Or maybe they’d just want to push controversial issues domestically so that their actions around the world are largely ignored.
An intelligent and diligent IT staff can’t prevent all of this. Even when they try, an IT staff certainly can’t make everyone constantly diligent, or skeptical, or even follow best practices. All of this potential terrifies me. I don’t know that it is happening or that it has ever happened, but I fully understand that it can happen right now, and we might have no idea.